This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

SA Fails to export pcap/Overall broker slowness/Wierdness/PIA

Anonymous
Not applicable

‎2014-05-01 10:52 AM

I've been running in to a problem using the web interface and actually getting data to export in to a pcap.

it seems that more often then not, my pcap exports will fail from the web UI, but using the fat client i am able to retrieve the data.

 

In the web interface the amount of sessions seems to be irrelevant, as well as what data source i am selecting(broker vs concentrator)

this has existed for me since the upgrade to 10.3sp1( or there abouts) and i'm currently running 10.3.3.2517, and its still persisting.

 

RSA people, any ideas?

 

-mark

Preview file
12 KB
0 Likes
24 REPLIES 24

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-05-02 01:39 PM

not sure what you mean by the old session still showing?any screenshot?

0 Likes

Anonymous
Not applicable

‎2014-05-02 01:43 PM

stale sessions.

sessions.PNG.png

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-05-03 06:17 AM

i'm not sure whether any timeout setting for the session or not. Can you check all the session the source ip address? Do you have malware/spectrum?

0 Likes

huanzhou1
Beginner
Beginner
In response to huanzhou1

‎2014-05-03 07:08 AM

The10.3.3 released, but i tried to export, the pcap exported all empty.

0 Likes

huanzhou1
Beginner
Beginner
In response to huanzhou1

‎2014-05-03 07:42 AM

my fault, forgot to connect the decoder.

 

Just fyi, 10.3.3 fixed the problem, you may download and upgrade.

0 Likes

Anonymous
Not applicable

‎2014-05-06 04:15 PM

my export still fails(10.3.3) and has the awesomeness to cause something else to crash at the same time when i start the process. so anything i had going on in an investigator view fails with a connection refused error.


Failed to retrieve distinct values for specific field across range 1 to 129642016381 : I/O error: The target server failed to respond; nested exception is org.apache.http.NoHttpResponseException: The target server failed to respond

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-05-06 09:49 PM

Looks like connection issue to me, can you re-add the concentrators? Also re-add the aggregated decoders.

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-05-17 01:49 PM

sorry for the delayed response but this has failed to resolve the issue as well. removing the concentrator sources from the broker, as well as removing the decoders from the concentrator, still results in a failure through the broker.

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-05-17 07:38 PM

can you run rpm -a | grep nwbroker ? just want to confirm your broker version.

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-05-20 11:45 AM

nwbroker-10.3.3.2517-5.el6.x86_64

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.