This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BPF rules are not filtering traffic on RSA NetWitness Platform 10G Decoders

Article Number

000001718

Applies To

RSA Product Set: Security Analytics, RSA NetWitness Logs & Network
RSA Product/Service Type: 10G Decoder, Security Analytics UI
RSA Version/Condition: 10.4.x, 11.x
Platform: CentOS
O/S Version: EL6

Issue

After configuring BPF rules on a Security Analytics 10G Decoder, the traffic is not being filtered as expected.

Cause

The PFRING driver used with 10G Decoders does not support the use of BPF and therefore will not filter the traffic.

Resolution

In order to filter network traffic on a 10G Decoder, a Network Rule must be created rather than using BPF.

For example, if ports 553 and 55553 needed to be filtered, rather than using the not (port 553 or 55553) BPF syntax, a network rule similar to the rule shown below should be created.

Notes

More information on configuring Network Rules can be found in the RSA Security Analytics 10.4 User Guide.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:09 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.