2014-08-21 04:29 PM
Hello, folks! How are you?
How can I get the ip.src value in a parser?
Thanks
2014-08-22 11:07 AM
If you look in /etc/netwitness/ng/envision/table-map.xml you will find all the mappings for parsers. IP.src is mapped to saddr in the parser.
2014-08-22 11:41 AM
Hello, Sean.
I don't have this file. My device is a packet decoder. Well, I'd like to compare two values with a if condition at the parser.
For example: If ip.src != my.another.parser then ...
Did you understand?
2014-08-22 11:55 AM
I am not familiar with packet parsers. But it looks like this could be done via an app rule.
2014-08-22 01:00 PM
I'm not sure. Because the app or network rule compare two metadata value and not metadata key.
For example, I need to inform the value that I want to compare.
2016-11-20 09:46 PM
If you have a value of ip.src you want compare,
You can create a custom lua parser to operate on meta-call back matching.
This is about how to create lua parser.
https://community.rsa.com/docs/DOC-41370
