2014-05-01 10:52 AM
I've been running in to a problem using the web interface and actually getting data to export in to a pcap.
it seems that more often then not, my pcap exports will fail from the web UI, but using the fat client i am able to retrieve the data.
In the web interface the amount of sessions seems to be irrelevant, as well as what data source i am selecting(broker vs concentrator)
this has existed for me since the upgrade to 10.3sp1( or there abouts) and i'm currently running 10.3.3.2517, and its still persisting.
RSA people, any ideas?
-mark
2014-05-21 09:35 AM
its still throwing this error as well.
Job user.f8081f32-43e6-4a99-bf9d-c58e019506b6 threw a JobExecutionException:
org.quartz.JobExecutionException: Error retrieving PCAP from device [See nested exception: java.io.IOException: com.rsa.netwitness.carlos.clients.nextgen.NextGenException: org.apache.http.conn.HttpHostConnectException: Connection to http://x.x.x.x:50103 refused]
at com.netwitness.platform.server.investigation.common.export.jobs.ExtractInvestigationPcapJob.executeJob(ExtractInvestigationPcapJob.java:64)
at com.rsa.netwitness.carlos.scheduling.jobs.AbstractJob.execute(AbstractJob.java:61)
at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
Caused by: java.io.IOException: com.rsa.netwitness.carlos.clients.nextgen.NextGenException: org.apache.http.conn.HttpHostConnectException: Connection to http://x.x.x.x:50103 refused
at com.rsa.netwitness.carlos.transport.nextgen.adapter.NextGenContentAdapter.handle(NextGenContentAdapter.java:363)
at com.rsa.netwitness.carlos.transport.nextgen.adapter.NextGenContentAdapter.handle(NextGenContentAdapter.java:282)
at com.rsa.netwitness.carlos.transport.nextgen.adapter.NextGenContentAdapter.handleRequestStream(NextGenContentAdapter.java:130)
at com.rsa.netwitness.carlos.transport.nextgen.NextGenContentMessageChannel.requestStream(NextGenContentMessageChannel.java:42)
at com.rsa.netwitness.carlos.transport.nextgen.NextGenContentMessageChannel.requestStream(NextGenContentMessageChannel.java:27)
at com.rsa.netwitness.carlos.transport.spi.AbstractMessageChannel.requestStream(AbstractMessageChannel.java:149)
at com.netwitness.platform.server.investigation.common.export.jobs.AbstractExtractionJob.getContentInputStream(AbstractExtractionJob.java:97)
at com.netwitness.platform.server.investigation.common.export.jobs.AbstractExtractionJob.getPCAPContentInputStream(AbstractExtractionJob.java:84)
at com.netwitness.platform.server.investigation.common.export.jobs.ExtractInvestigationPcapJob.executeJob(ExtractInvestigationPcapJob.java:60)
... 3 more
Caused by: com.rsa.netwitness.carlos.clients.nextgen.NextGenException: org.apache.http.conn.HttpHostConnectException: Connection to http://x.x.x.x:50103 refused
at com.rsa.netwitness.carlos.clients.nextgen.impl.NextGenClientImpl.downloadContent(NextGenClientImpl.java:1918)
at com.rsa.netwitness.carlos.transport.nextgen.adapter.NextGenContentAdapter.handle(NextGenContentAdapter.java:358)
... 11 more
Caused by: org.apache.http.conn.HttpHostConnectException: Connection to http://x.x.x.x:50103 refused
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:701)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:517)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at com.rsa.netwitness.carlos.clients.nextgen.impl.NextGenClientImpl.downloadContent(NextGenClientImpl.java:1901)
... 12 more
Caused by: java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)
at java.net.Socket.connect(Socket.java:579)
at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:127)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
... 18 more
2014-06-07 03:33 AM
has the issue resolved? i don't have issue after upgrade, now i'm running 10.3.3.2533-5
2014-06-07 08:08 AM
it was resolved briefly after i applied a hot fix. but it has come back i think its time to start exploring options to day zero the broker, and just reload everything back on to it. it is a total PIA where i cant extract pcap's but yet it will do file extraction(not that i need to rely on it for something so easy) i just want my packets. purging the indexes on the broker had no affect on the problem, etc.
ive also noticed that the overall performance of the broker seems to take a nice hit when more then 1 user is actively on the host and performing investigations.
2014-06-07 08:43 AM
that's great!
2014-06-07 09:26 AM
i guess it is, if all i want to do is use the fatclient directly connected to the concentrators