Configure Parsers and Feeds

Parsers and feeds are responsible for analyzing the packets and logs when captured or imported in Decoders. Most commonly, they are used for static metadata extraction and service identification. The flexible definition allows custom extension of the core defined services to provide extra service type identification and metadata extraction. This is important due to the volume of custom applications that are used on networks.

NetWitness Platform 12.4.1 introduces the following new enhancements to improve Packet Decoder Parsing significantly:

Improved Packet Decoder Parsing with Maximum Parse Limit Per Protocol

NetWitness Platform optimizes the Packet Decoders for the most effective detection and investigation, balancing high performance with depth of visibility.Administrators can now change the scanning depth limit depending on the detected protocol. Additionally, different parse.bytes.max for each protocol can be set to focus on parsing and generating metadata for more valuable sessions.

Improved Packet Decoder Parsing with Maximum Parse Limit Step Function

NetWitness Platform allows parsers to constantly step through a session as tokens are found on a protocol basis to optimize generating meta in appropriately valuable sessions. The Step Scan enables the scan engine to continue scanning from the position of the last token found for the specified number of bytes. This process repeats each time a token is found and continues until the scan reaches the end of the stream or there are no more tokens. Administrators can optimize specific parsing traffic further into a session to get better visibility for protocols more prone to extensive sessions with potential threats.

Introduction of Meta Keys to Track Bytes Scanned per Session

NetWitness Platform has introduced two new meta keys to track the number of bytes scanned per session. These meta keys are scanned.client and scanned.server, which keeps track of the scanned bytes for the client and server streams. Administrators can review the progress of a session scan and compare it to the set parse limit and session size. This setting is disabled by default, but it can be turned on by ensuring that the parser ScannerAnalytics is enabled. These meta are indexed as UInt64 types with level IndexKeys, so all regular queries relating to integers are applicable.

 

See the following sections for details about configuring parsers and feeds.