This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to output NwConsole /sdk/ packets query output to stdout?

Go to solution
Anonymous
Not applicable

‎2016-02-09 11:41 AM

Hello,

 

I want to use the NwConsole's /sdk/ packets command to obtain raw packets logs fast. The REST method did not work.

The problem is that I need to process the output as a stream rather than reading the file in the pathname argument later due to very large volume; essentially I want to do:

 

nwconsole -c login -c sdk/packets  | grep ....

 

I've tried to make use of fifo files in append mode but that doesn't work.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable
In response to KennyKim

‎2016-02-11 08:12 AM

Hi Kenny,

 

Thanks for your reply, but saving packets to disk is exactly what I don't want to do. Essentially, I need to extract a very large volume of logs - 180 days worth from the RSA SA, but I only need a subset of everything. Filtering using query filters is too slow - it takes 2 minutes to extract 1 minute worth of data. As it is impractical to save all this volume to disk even in portions, I was contemplating to get output, process using grep|bizip... and then output only the bits that I want.  Unfortunately, NwConsole only saves to disk.

 

Regardless, I have implemented a utility that does the equivalent of -c 'login' -c 'cd /sdk' -c 'packets time1....' command and outputs the data to either stdout for processing or disk.

 

For adventurous users, you can use it at your own peril: GitHub - truekonrads/pynwconsole: Python netwitness/rsa security analytics binary protocol console

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
KennyKim
Occasional Contributor
Occasional Contributor

‎2016-02-11 04:22 AM

Hi Smelkovs

 

NwConsole is not REST API. it support Nw SDK query.

 

If you want to stream back of packets where you may know sessionids

Try this one at shell command prompt

This will find any session(s) and create those into pcap file.

 

#> NwConsole -c sdk open nw://<id>:<password>@localhost -c sdk output /root/ -c sdk content sessions=<sessionids comma seperated> render=pcap

 

This will save files for session you specified.

 

Is this what you exactly want?

0 Likes

Go to solution
Anonymous
Not applicable
In response to KennyKim

‎2016-02-11 08:12 AM

Hi Kenny,

 

Thanks for your reply, but saving packets to disk is exactly what I don't want to do. Essentially, I need to extract a very large volume of logs - 180 days worth from the RSA SA, but I only need a subset of everything. Filtering using query filters is too slow - it takes 2 minutes to extract 1 minute worth of data. As it is impractical to save all this volume to disk even in portions, I was contemplating to get output, process using grep|bizip... and then output only the bits that I want.  Unfortunately, NwConsole only saves to disk.

 

Regardless, I have implemented a utility that does the equivalent of -c 'login' -c 'cd /sdk' -c 'packets time1....' command and outputs the data to either stdout for processing or disk.

 

For adventurous users, you can use it at your own peril: GitHub - truekonrads/pynwconsole: Python netwitness/rsa security analytics binary protocol console

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.