As per the knowledgebase article Why are RSA NetWitness Investigator session size and packet count values inaccurate?, the session size is an estimation. However, users often want to drill into large sessions using Investigator or create reports based on session size using RSA NetWitness Informer.
You can create application rules on your decoder that alerts on size characteristics of sessions and you can query on those alert meta values.
Multiple decoder rules can be created: one for sessions under a given size, one or several between different sizes, and one for a given size and above.
For example
Where:
-u (greater than equal to), 4000-u means everything >= 4000 (i.e. size = 4000-u)
l- (less than), l-4000 means everything below 4000 (i.e. size = l-4000)
Decoder App Rule 1
Decoder App Rule 2
Decoder App Rule 3
You can create these rules from administrator under your decoder settings->Stats tab->Adapters & Rules->App Rules.
Each application rule above will create a meta value in risk.info meta key with the rule name as the actual meta value. For example, App rule 3 'Size greater 64k' will create a meta value called 'Size greater 64k' in Investigator 'Risk Informational' report, which tags all sessions with size meta value greater than 64kb.