The ability to capture network events while keeping only the header portion and truncating the payload has been available for quite some time. This has always been a great option when the lack of analytical value of the raw data (e.g. the session payload) does not justify paying for the storage cost incurred to keep it. Some typical examples being saving database transfers of your backup files or data that is encrypted that you are unable to decipher into clear text.
In RSA NetWitness Platform 11.1 we added some additional options to increase the flexibility of when the truncation is applied to an event.
The administrative interface shown below is where an admin can modify the truncation options on application rules per network decoder.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.