Basic Command Line Parameters and Editing

NwConsole is like a Swiss army knife; it contains many tools buried underneath its command line interface. NwConsole is multi-platform. Executables are available for CentOS (which ships on appliances), Windows, and Mac. NwConsole is included on all hosts.

Basic Command Line Parameters

Here are some basic command line parameters:

  • -f To run a set of commands from a file, use the -f attribute as shown here:
    NwConsole -f /tmp/<somefile.script>
  • -e You can use the -e attribute (which is similar to the -f attribute) to run a set of commands from a file and allow environment variable substitution within the file using $ENV_VAR syntax, as shown here:
    NwConsole -e /tmp/<somefile.script>
    Use \$ to escape a dollar sign and \\ to escape a backslash.
  • -c To pass in a list of commands from the command line, use the -c attribute as shown here:

    NwConsole -c <command1> -c <command2> -c <command3>

    This is not recommended except for very simple scripts. The Bash interpreter can jumble quoted strings if you do not escape properly. If you have non-obvious errors passing through the command line, switch to reading from a file to see if that fixes the issues.

  • -i Normally, the NwConsole exits after running commands passed by a file or command line. If you want to keep the interactive prompt open after the commands are executed, include -i in the command line.

  • -q To suppress command information messages and only see command output, use -q for Quiet mode. This makes it easy to pipe command output (stdout) to other commands.

  • You can also run NwConsole and type the commands in the console window.

When you use the -c option, you can use additional quotes and escape quotes to include embedded spaces for the where clause. For example:
where="\"tcp.dstport=443 && time='2020-09-07 17:25:00'-'2020-09-08 05:24:59'\""

The following example shows how to use the -c option for pcap extraction.

[root@nwadmin1 ~]# NwConsole -c login <user> <passowrd> -c cd sdk -c packets
where="\"tcp.dstport=443 && time='2020-09-07 17:25:00'-'2020-09-08 05:24:59'\""
RSA NetWitness NextGen Console
Copyright 2001-2020, RSA Security Inc. All Rights Reserved.

>login ...
Successfully logged in to as session 168886
>cd sdk
[] /sdk
>packets where="tcp.dstport=443 && time='2020-09-07 17:25:00'-'2020-09-08 05:24:59'"
Writing packets to /var/netwitness/ny_sdwan_tcp_443_20200930.pcap (100%)

Line Editing

You can use the keys in the following table when editing a command.

Key Descripton
Ctrl-U Clears the current line
Ctrl-W Deletes the word that the cursor is on
Ctrl-A Moves the cursor to the beginning of the line
Ctrl-E Moves the cursor to the end of the line


Moves the cursor forward to the next word
Ctrl-B Moves the cursor backwards to the previous word
Up arrow Displays the previously executed command
Down arrow Displays the command executed after the current command (only valid if the up arrow has been pressed)
Left arrow Moves the cursor to the previous character
Right arrow Moves the cursor to the next character
Tab Provides context sensitive completion of most commands and their parameters. The Tab key is very helpful for editing.
For example, to view the Connecting to a Service help topic, at the command line, you can type man con and then press the Tab key. NwConsole completes the command for you: man Connecting to a Service
Press Enter to run the command and view the topic.
history Displays a numbered list of previous commands
history execute=# Executes a previous command, which is also equivalent to typing !#
For example, !1 executes the previous command.
history clear Clears all command history
history erase=# Erases a specific command from the history buffer. History is automatically stored from one session to the next.