Rui Ataide posted a useful Python script to query a Broker or Concentrator metadata from the command line (nwsdk_csv.py latest version 2016). In order to make it easier to use this Python script, I wrote a shell script to use as a simple interface that interact with it.
Before you can run netwitness_sdk.sh, you need to download nwsdk_csv.py from nwsdk_csv.py and copy it it on a Linux workstation (i.e. /usr/loca/bin) and make it executable (chmod 755 nwsdk_csv.py)
Next, edit the netwitness_sdk.sh script and enter your default Broker or Concentrator you want to point the script to and change the IP address of the system and the account you want to use to query the metadata and save the changes.
The shell script has 5 options. The shell script ask 3 questions before it queries NetWitness’ metadata:
- What you want to query (i.e. ip.src=192.168.1.254 && service=80)
- Time range (i.e. time='2017-2-20 00:00:00'-'2017-2-21 00:00:00')
- Meta output you want in the output (ip.src,service --top=10)
Note: Output is save to a CSV file in a comma delimited format
ip.src,service,count
10.208.165.109,0,6
10.208.28.54,0,4
192.168.42.11,0,10
10.68.79.182,0,3
The script also provides the ability to provide a list (one item per line) that it will parse in succession and save the output in CSV file with a file name supplied in the list.
The last 2 options (service 53 and 80) the meta output is already set in the script but you can modify that to whatever output format you want.
