Decoder and Log Decoder Quick Setup

A basic NetWitness network includes at minimum Brokers, Concentrators, and Decoders. Brokers aggregate data from Concentrators, and Concentrators consume data from at least one Network Decoder or Log Decoder. The basic network may include both types of Decoders. Network Decoders are usually referred to as Decoders, and they capture network data in packet form. Log Decoders capture log data as events.

Adding a Decoder makes it visible and available for use with NetWitness Administration, Live Services, and Investigate. To add a service in NetWitness, you select the service type, provide service connection information, and validate that the service can be reached. The Hosts and Services Getting Started Guide provides the information you need to understand and install all NetWitness services.

After the services are added, you need to configure each service. This is the preferred order for configuring your system:

  1. Decoders
  2. Log Decoders
  3. Concentrators (refer to the Broker and Concentrator Configuration Guide)
  4. Brokers (refer to the Broker and Concentrator Configuration Guide)

Note: A Log Decoder is a special type of Decoder, which is configured and managed in a similar way to a Decoder. Most of the information in this guide refers to both types of Decoders. "Decoder" refers to both types of Decoders. Information that applies exclusively to Network Decoders or Log Decoders is clearly identified.

Basic configuration of the Decoder involves selecting a network adapter interface and starting data capture.

In addition, you can configure each Decoder to control the type of traffic captured using rules, feeds, and parsers. Advanced configuration tasks enable additional features that are relevant to specific applications. For example, configure a 10G Decoder, create custom meta keys, or decrypt incoming packets.

The easiest way to configure all of the required Decoder and Log Decoder settings is to use the options in the NetWitness user interface. For the most part, configuration is performed in the Administration Services view ( netwitness_adminicon_25x22.png (Admin) > Services).

netwitness_12.1_adminserv8_1122_750x451.png

Administrators who feel comfortable working outside of the user interface can configure the basic parameters as well as advanced settings by editing database nodes in the Decoder node tree using the Services Explore view.

netwitness_12.1_expcon19_1122_750x451.png

Perform Initial Quick Setup

This procedure accomplishes the initial, basic configuration of a Decoder, and starts data capture. When the basic setup is complete, the Decoder begins capturing data for the Concentrator to consume.

To configure a Decoder and start capturing data:

  1. Assign a network interface for capturing data. For details, see "Select a Network Adapter" in Configure Capture Settings.
  2. Do one of the following:
    1. To start capture, select the Decoder and netwitness_ic-actns.png> View > System. In the toolbar clicknetwitness_ic-startcapture.png.
      netwitness_12.1_sysvw17_1122.png
    2. To enable Capture Autostart, see "Configure a Decoder to Begin Capturing Data Automatically" in Configure Capture Settings.
      The Decoder begins capturing data for consumption by a Concentrator. For additional configuration options, refer to Configure Common Settings on a Decoder Configure Common Settings on a Decoder and or Decoder and Log Decoder Additional Procedures