NetWitness Community

RSAAdmin · ‎2013-08-19

I'm trying to write a simple flex parser for netwitness 9.8 which will find the string "client:" in HTTP traffic and then return the IP address that follows that string.

I've run in to a few questions regarding this parser, would be great if anyone can contribute from their experience

1. I've seen examples of retrieving a set number of characters following a specific string but an IP address can be between 7 and 15 characters.

2. There is no point in applying my parser to all the traffic in the network, i need it to run only on very specific traffic (one subnet, port 80), is there a way to specify in my parser perhaps?

3. This string repeats itself many times in every session, identical value per session, would the parser stop once it found the first value or continue to run through the whole session?

Itay

Anonymous · ‎2013-08-22

Is this a proxy X-Forwarded-For: like header? I know certain proxies use Client-IP instead.

If that's the case, there is an xforwadedfor parser in NWLive content that might help you. I'm not sure if it actually also looks at the Client-IP as an option, I believe it does.

To answer your other question, again if the data you have is an HTTP header then the line would be terminated with a <newline> so what you can do is find the relative position of the 0x0d character and then read a string of that length.

Something like the lines below after your token match statement.

Hope that helps!

Regards,

Rui

View solution in original post

RSAAdmin · ‎2013-08-19

I'm not too sure what you are trying to detect, but yes, you can extract an IP or any other text string variable from a session for a specific service, port or other parameter you specify. And yes, you can make it stop searching after a match. Do you have a sample pcap of what you are trying to key on?

RSAAdmin · ‎2013-08-20

nothing I can send out unfortunately, but the packet contains a string like "Client-ip:10.0.0.1" either followed by additional info ("GET" for example), or at the end of the packet.

Anonymous · ‎2013-08-22

Is this a proxy X-Forwarded-For: like header? I know certain proxies use Client-IP instead.

If that's the case, there is an xforwadedfor parser in NWLive content that might help you. I'm not sure if it actually also looks at the Client-IP as an option, I believe it does.

To answer your other question, again if the data you have is an HTTP header then the line would be terminated with a <newline> so what you can do is find the relative position of the 0x0d character and then read a string of that length.

Something like the lines below after your token match statement.

Hope that helps!

Regards,

Rui

RSAAdmin · ‎2013-08-22

Its very similar, looks like the x-forwarder parser would be just the thing but i couldn't figure out how to find out if it has options and how to set them if it does.

I might be going about the wrong way, but i've been trying to use investigator to test out the parser i tried writing and I always get an empty report for that value, this is what i've done based on the samples i have for parsers and your suggestion:

defined a key:

defined the parser:

</declaration>

</read>

</match>

</parser>

then open investigator and open a local collection that i imported a pcap file with the relevant packets into.

Anonymous · ‎2013-08-22

Looks OK, except I don't see EOL declared as a number. Is that the entire parser?

Also don't forget the <parsers> </parsers> around your parser in your file.

Look at the logs any errors should show up there. They are under Help->Show Log

The X-Forwarded-For Parser will put the relevant info in the orig_ip meta which is "<key description="Originating IP Address" level="IndexKeys" name="orig_ip" />" in Investigator. Currently there is no way of passing parameters/options to parsers.

Hope that helps!

Regards,

Rui

NetWitness Community

How do I read an IP address in a flex parser?