This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How is netwitness meta key service populated?

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-04-14 12:16 PM

Hi,

 

Is there a way to figure out Encrypted Communication?

 

Currently i am querying on "crypto exists" to pick encrypted traffic.

But i only see sessions on >service 443,22,25

However if i see mutiple >tcp.dstport values

 

Can you provide brief intro into how service is populated?

If there is a communication src:45673 -> dst:13022  (SSH Traffic)

Does this traffic records crypto as "aes256-cbc" and service is 22 ?


Currently i am assuming service is just populating alias for dstport for known services.

Please let me know if i am wrong.


Thanks,

Uma

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-04-14 01:12 PM

Service is not just an alias for destination port.  Service is registered by parsers which determine that a session conforms to a particular protocol regardless of ports.

 

For example, if there is an HTTP session on a port other than 80, the HTTP parser will still register the service as HTTP for that session.  Likewise, if a session on port 80 is not HTTP then the HTTP parser will not register service as HTTP for that session.

 

Service meta itself is numeric, and those numbers correspond to the well-known port for that protocol.  But don't confuse those values with the port used for the session.

 

For example,

    service:  80

    tcp.dstport:  1234

 

    The value of service is "80", which will show up in the UI as "HTTP".  But the destination port

    is 1234.  So this was an HTTP session on port 1234.

 

Another,

    service:  22

    tcp.dstport:  80

 

    The value of service is "22", which will show up in the UI as "SSH".  But the destination port

    is 80.  So this was an SSH session on port 80.

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
Anonymous
Not applicable

‎2015-04-14 12:35 PM

Uma, my understanding is that its populated by the network parsers bases on the expect port.  So if it decodes as ssh, it will be service=22, even if it's actually on a destination port of 13022, or even on port 80. I.e., service is the actual protocol in use, regardless of the port.

 

Equally confusingly, network parsers typically populate udp.dstport or tcp.dstport, but firewall parsers populate ip.dstport and protocol.  How we we supposed to correlate this stuff?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-04-14 01:12 PM

Service is not just an alias for destination port.  Service is registered by parsers which determine that a session conforms to a particular protocol regardless of ports.

 

For example, if there is an HTTP session on a port other than 80, the HTTP parser will still register the service as HTTP for that session.  Likewise, if a session on port 80 is not HTTP then the HTTP parser will not register service as HTTP for that session.

 

Service meta itself is numeric, and those numbers correspond to the well-known port for that protocol.  But don't confuse those values with the port used for the session.

 

For example,

    service:  80

    tcp.dstport:  1234

 

    The value of service is "80", which will show up in the UI as "HTTP".  But the destination port

    is 1234.  So this was an HTTP session on port 1234.

 

Another,

    service:  22

    tcp.dstport:  80

 

    The value of service is "22", which will show up in the UI as "SSH".  But the destination port

    is 80.  So this was an SSH session on port 80.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-04-15 03:48 AM

Thanks Motley, That answers my question.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.