This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Is it possible to detect network tap issues with Netwitness for Packets?

david_waugh
Beginner
Beginner

‎2018-08-07 05:53 AM

Hi i am getting some incomplete sessions sent to our packet decoders by our taps but I don't know how big the issue is.

 

There are no packet drop messages being recorded in /var/log/messages on the decoder, so I suspect that the network taps are not forwarding us all the packets. Alternatively it could be that the network taps themselves are not seeing all the packets.

 

Is there anyway to detect missing packets in a session with Newitness?

0 Likes
5 REPLIES 5

GarethPritchard
Employee
Employee

‎2018-08-07 06:17 AM

I'm not aware of any method for using NetWitness directly to detect packet loss, but it might be worth running wireshark before the TAP, even just a Rasberry Pi or a laptop to grab a packet stream and compare the results. That should rule out whether it's the TAP or a problem further down the line.

Having that capability and solution available can be useful in IR also as you can quickly deploy a pcap solution ad-hoc to support investigations such as this.

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2018-08-07 11:55 AM

How are you discovering/determining the incomplete sessions at the moment?  Is session reconstruction failing?

 

The only idea that comes to mind is to show the session reconstruction log and compare what it says should be the total packet count vs. what show up in the View Packets event reconstruction window:

 

image001.png


Mr. Mongo
0 Likes

david_waugh
Beginner
Beginner
In response to JoshRandall

‎2018-08-08 06:25 AM

Hi I am discovering the incomplete sessions in a few ways:

 

- Extracting packet captures and then viewing in wireshark which shows them as "packets missing"

-The pcaps are exported to another system and dont appear as it is less tolerant of packets missing than Netwitness

-User reports that they are unable to view in Reconstruction View

 

These hint that I have a problem, I have enough evidence that there is an issue, but I don't know how large the issue actually is.

0 Likes

Anonymous
Not applicable
In response to david_waugh

‎2018-08-08 07:45 AM

If I am remembering correctly, Wireshark will display a "--[missing packet]--" label in the "Follow TCP Streams" view.  This is a label placed by Wireshark and not something within the pcap/traffic.  I am not aware of such a feature in NetWitness during packet collection.

0 Likes

GuyBruneau
Frequent Contributor
Frequent Contributor

‎2018-08-08 01:00 PM

We had such an issue in the past and how we ran our test was to send a ping regularly (once per minute) to one of our IP that would be seen by the tap and then checked NW to see how many packets we got over an hour (expect to see 60 pings).

 

The other issue we had before was an issue with TCP offloading on the capturing NIC cards and were having similar issues David described in his post about snippet of packets missing (seen in Wireshark)  and unable to reconstruct files.

 

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-nic-offloads

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.