Article Number
000001178
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.x
Issue
Why would you not see all packets that are captured within the time frame being searched but then see them after searching a few minutes earlier?
View of the beginning time frame from 10:00 to 10:10 AM, notice 10:02 AM packets are not there:
Image descriptionView of additional packets from 10:00 AM to 10:10 AM in the time frame from 9:45 AM to 10:10 AM:
Image description
Resolution
The reason for this is that RSA NetWitness Platform tracks the time by sessions and not packets. The data is collected and the packets are there but the search will be based on the beginning of the session time. Therefore, if packets were within a session that started before the beginning time frame searched, the packets may not show in the investigation.
The decoder uses the session key(consists of the ip.src, ip.dst, and port fields) to identify which packets are part of the same session. If you see the same consecutive port in an earlier created packet, the packet is part of an earlier session.