Article Number
000001800
Applies To
RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: NetWitness UI
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: 6, 7
Issue
How to find the RSA NetWitness database files on brokers, concentrators, and decoders that contain a particular session.
Resolution
The instructions below outline how you can find the database files containing a particular RSA NetWitness Session in concentrator and decoder appliances. In the examples below, assume that RSA NetWitness Investigator is connected to a broker which connects to concentrator(s) and decoder(s), and that a session with SessionID = 2171347267 is seen in the session content view.
( NOTE: If the session you wish to locate is found while performing investigations on the concentrator directly, Task 1 below may be skipped. )
Task 1: Find which concentrator stored the session and the concentrator's corresponding Session ID.
- Navigate to the Explore view of the broker against which the investigation took place in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > broker > View > Explore.
- Right-click on the sdk node and select Properties.
- In the lower pane, select deviceId from the drop-down menu.
- In the Parameters field, type session=<sessionID>, where <sessionID> is the Session ID that you wish to locate. In this example, session=2171347267 would be entered.
- Click on the Send button.
- Examine the Response Output window for output that appears similar to the following:
[device: 10.25.53.21:50005
session: 431421651 ]
The information provided from the steps above will provide the IP address of the concentrator (which is 10.25.53.21 in this example) and the corresponding Session ID on that appliance.
Task 2: Find the session and meta database files for a particular session on the concentrator appliance.
- Navigate to the Explore view of the concentrator identified in Task 1 in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > concentrator > View > Explore.
- Right-click on the database node and select Properties.
- In the lower pane, select dump from the drop-down menu.
- In the Parameters field, type session=<sessionID> type=db where <sessionID> is the Session ID you wish to locate. In this example, session=431421651 type=db would be entered.
- Click on the Send button.
- Examine the Response Output window for output that appears similar to the following:
[ SessionData=1
dbFile=/var/netwitness/concentrator/sessiondb/session-000000161.nwsdb ]
[ session.id=431421651 appType=0 created="12/31/1969 19:00:00" dataSize=19142
payloadSize=16610 metaId1=12483613159 metaID2-12483613256 packetId1=0 packetId2=0
packetCount=38flags=keep,assemble,appmeta,netmeta,parsed,2sided,side1client, ]
[ MetaArray=98 dbFile=/var/netwitness/concentrator/metadb/meta-000000304.nwmdb ]
.....
The information displayed from the steps above will provide the following information:
- The filename of the sessiondb file on the concentrator. In this example, the filename is /var/netwitness/concentrator/sessiondb/session-000000161.nwsdb.
- The filename of the metadb file on the concentrator. In this example, the filename is /var/netwitness/concentrator/metadb/meta-000000304.nwmdb.
Task 3: Find which decoder stored the session and the decoder's corresponding Session ID.
- Navigate to the Explore view of the concentrator against which the investigation took place in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > concentrator > View > Explore.
- Right-click on the sdk node and select Properties.
- In the lower pane, select deviceId from the drop-down menu.
- In the Parameters field, type session=<sessionID> where <sessionID> is the Session ID you wish to locate. In this example, session=431421651 would be entered, which is the same Session ID that was entered during Task 2.
- Click on the Send button.
- Examine the Response Output window for output that appears similar to the following:
[device: 10.25.53.13:50004
session: 107235453 ]
The information provided from the steps above will provide the IP address of the decoder (which is 10.25.53.13 in this example) and the corresponding Session ID on that appliance.
Task 4: Look up the session and meta database files for a particular session on the decoder appliance.
- Navigate to the Explore view of the decoder identified in Task 3. This can be done by navigating to Admin/Administration > Services > decoder > View > Explore.
- Right-click on the database node and select Properties.
- In the lower pane, select dump from the drop-down menu.
- In the Parameters field, type session=<sessionID> type=db where <sessionID> is the Session ID you wish to locate. In this example, session=107235453 type=db would be entered.
- Click on the Send button.
- Examine the Response Output window for output that appears similar to the following:
[ SessionData=1 dbFile=/var/netwitness/decoder/sessiondb/session-000000055.nwsdb ]
[ session.id=107235453 appType=0 creaed="8/02/2012 16:10:40" updated="8/02/2012 16:10:41"
packetSize=19142 payloadSize=16610 metaId1-2992639921 metaId2=2992640016 packetId1=14950963933
packetId2=14950977483 packetCount=38 flags=keep,assemble,appmeta,netmeeta,parsed,2sided,side1client, ]
[ MetaArray=96 dbFile=/var/netwitness/decoder/metadb/meta-000000085.nwmdb ]
.....
[ PacketArray=38 dbFile=/var/netwitness/decoder0/packetdb/packet-000001963.nwpdb ]
.....
The information displayed from the steps above will provide the following information:
- The filename of the sessiondb file on the decoder. In this example, the filename is /var/netwitness/decoder/sessiondb/session-000000055.nwsdb.
- The filename of the metadb file on the decoder. In this example, the filename is /var/netwitness/decoder/metadb/meta-000000085.nwmdb.
- The filename of the packetdb file on the decoder. In this example, the filename is /var/netwitness/decoder0/packetdb/packet-000001963.nwpdb.
Notes
The table below displays the file extensions for each database file.
Appliance | Database | Extension |
Decoder / Log Decoder | packetdb | .nwpdb |
| metadb | .nwmdb |
| sessiondb | .nwsdb |
Concentrator | metadb | .nwmdb |
| sessiondb | .nwsdb |
NOTE: For any given session, the decoder, concentrator, and broker maintain their own Session IDs, which may be different.
If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.