This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Working with small pcap files

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-12-27 07:33 AM

Hello,

I'm pretty new to investigator, and I'm encountering difficulties while working with very small pcap files.

The pcap files are created elsewhere, and sometimes they are very small, even just a few KBs, and have a very small number of packets in them.

Regardless of their size, I need to search these files for specific strings, and I wanted to do that using Investigator's search features.

But, when I load these files to a collection, Investigator just return an empty report and doesn't find anything when searching.

When loading the same files with Wireshark I can search the packets.

What can I do to make it work with Investigator?

 

Thanks.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-01-09 06:34 PM

More than likely, the freeware version is older than the enterprise version.  You may have stumbled on a bug that has been fixed in the enterprise version or the enterprise version has support for your pcap and the freeware does not.

 

What is the reported version on the freeware and enterprise Investigator you are using?  You can get that from the Help | About menu.  Also, what type of pcap are you loading?

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-12-27 11:26 AM

Sorry to hear that you are having issues with Investigator.  There are no specific steps that you need to take with Investigator when working with small pcaps.  You can check the application log file from the Help menu for possible error messages.  Also, Investigator only supports packets with an outer Ethernet, 802.11, or SLL (Linux cooked capture) frame.  You can try importing a know supported pcap (such as http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=dns.cap) to validate that there are no issues with your installation of Investigator.

 

If you still have questions, feel free to include screenshots of Investigator and Wireshark.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2012-12-30 12:40 AM

I tried opening these pcap files with both the enterprise version and the freeware version of Investigator.

With the enterprise version it works great like with any other file, but the freeware version keeps returning an empty report.    Why is that happening?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-01-09 06:34 PM

More than likely, the freeware version is older than the enterprise version.  You may have stumbled on a bug that has been fixed in the enterprise version or the enterprise version has support for your pcap and the freeware does not.

 

What is the reported version on the freeware and enterprise Investigator you are using?  You can get that from the Help | About menu.  Also, what type of pcap are you loading?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.