netwitness-events

Fetch events from Netwitness Decoder

netwitness-events profile=PROFILE [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [ip=IP] [ip2=IP2]

profile=PROFILE: The identifier of NetWitness connect profile
duration=NUM{mon|w|d|h|m|s}: Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, 10s means data from 10 seconds earlier.
from=yyyyMMddHHmmss: Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
to=yyyyMMddHHmmss: End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
ip=IP: First IP address for search
ip2=IP2: Second IP address for search

Output Fields

Field	Type	Name	Description
_time	Date	Time	Session time
profile	String	Connect profile	The identifier of NetWitness connect profile
session	Long	Session ID
direction	String	Direction	e.g. lateral, outbound
src_ip	IP address	Source IP
src_port	Integer	Source port
dst_ip	String	Destination IP
dst_port	Integer	Destination port
protocol	String	Protocol
service	String	Service
src_mac	String	Source MAC
dst_mac	String	Destination MAC
streams	Integer	Streams
bytes	Long	Bytes
pkts	Long	Packets
payload	Long	Payload
duration	Integer	Duration
netname	String	Net name	e.g. private src, other src
tcp_flags	String	TCP flags	e.g. syn, fin
alias.host	String	Hostname
alias.ip	String	IP alias
src_country	String	Source country
dst_country	String	Destination country
src_domain	String	Source domain
dst_domain	String	Destination domain
src_org	String	Source organization
dst_org	String	Destination organization
action	String	Action	Separated by new line. e.g. Query Info, Tree Connect, PUT, POST
directory	String	Directory	e.g. \IPC$, /css/
filename	String	File name
query	String	Query
content	String	Content	e.g. text/plain, image/gif
client	String	Client	e.g. HTTPS, Mozilla/4.0