Retrieve Hash Information

Archiver provides a command, hashInfo, which you can use to retrieve the hash information for each session, meta, and packet database that meets the session list or date range criteria. The hash information retrieved is in the form of a list of string parameters, each string parameter corresponding to the hash information for a single database file. You can retrieve the hash information of the database files using the Archiver Service Explore view or REST interface of the Archiver service. The hash information thus retrieved is used to compare the database files in the original location and the exported location to validate data integrity.

The following table lists the criteria that you can use to retrieve the hash files from the database.

Criteria Description
sessions

You can retrieve the hash information of the database files by specifying the sessions that exist or read from the session database to determine the associated meta and packet id required to determine which meta and packet database files are needed to retrieve the hash information.

For example:

sessions=100 - Retrieves the hash information of all database files that contain the constituent components(session, meta, content) of session 100.

​sessions=100,500000 - Retrieves the hash information of all database files that contain the constituent components(session, meta, content) of session 100 and 500000

beginDate

You can specify a begin date as a filter against the database files. This finds the hash information for the files created after the specified date. The begin date specified has to be in the format YYYY-MM-DD HH:MM:SS.

endDate

You can specify an end date as a filter against the database files. This finds the hash information for the files created before the specified date. The end date specified has to be in the format YYYY-MM-DD HH:MM:SS

For example:

beginDate: “2014-Mar-25 05:52:00” endDate=”2014-Mar-27 05:52:00” – Retrieves the hash information of all the database files in between March 25, 2014 and March 27, 2014 in the specified time range on those days.

directories

By default, the hash information files are stored with the database files they were created for.
You can also store the hash information file in different location by defining multiple locations in the hash.dir configuration parameter.

You can define the location as a filter and retrieve the hash information files for the configured location.

For example:

directories="/home/hash" – Retrieves the hash information of the database files from the location /home/hash

Procedure

To retrieve hash information of the database files:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services, click netwitness_filericon.png, and select Archiver.
  2. In the Actions column, select View > Explore.

    The Explore view of the Archiver service is displayed.

    122_ArcExp_1122.png

  3. In the node tree, right-click on archiver and select Properties.

    The Properties dialog is displayed.

    netwitness_hashprops.png

  4. In the drop-down menu, select hashInfo.
  5. In the Parameters field, type the criteria that you want to use to retrieve the hash information from the database.
  6. Click Send.

    The output of the command is displayed in the ReponseOutput textbox. In the output, the hash information is shown in the hexHash parameter. You can use this hash information to verify data integrity manually.

Examples

Retrieve the hash information of the database files for the sessions that exist.​
Criteria: sessions=100​

Output

netwitness_propsarc1.png
The hash information shown in the hexHash parameter is retrieved and you can use this to verify data integrity manually for session 100​.

Retrieve the hash information of the database files for the session ranges that exist​.

Criteria: sessions=100,500000​

Output

netwitness_proparc2.png

The hash information shown in the hexHash parameter is retrieved and you can use this to verify data integrity manually for session range 100 - 500000​

Retrieve the hash information of the database files created in the specified date range​
Criteria: beginDate="2017-Mar-25 05:52:15" endDate="2017-Mar-27 05:52:15"​

Output

netwitness_propsdb.png

The hash information shown in the hexHash parameter is retrieved and you can use this to verify data integrity manually for the date range specified​.