Article Number
000003240
Applies To
NetWitness Product Set: NetWitness Log and Network
NetWitness Product/Service Type: Decoder
NetWitness Version/Condition: 12.4.x
NetWitness Product/Service Type: Decoder
NetWitness Version/Condition: 12.4.x
Issue
You may face continuous packet drop issue since upgrading to 12.4.x. You might see the following similar logs.
In past cases, this has mainly occurred when using 10G port DPDK.
/var/log/messages:
Jul 26 12:38:16 xxx NwDecoder[4857]: [Packet] [warning] Packet drops encountered, decoder_session assembled (149993/300000): check parse content (parsers, feeds, app rules)
Jul 26 12:39:17 xxx NwDecoder[4857]: [Packet] [warning] Packet drops encountered, decoder_session assembled (149996/300000): check parse content (parsers, feeds, app rules)In past cases, this has mainly occurred when using 10G port DPDK.
Resolution
Found the Decoder performance issue with Dynamic Domain DNS feed that is deprecated and no longer supported by NetWitness.
So you should disable this feed refer to the following step:
1. Log in to NetWitness UI
2. Go to "Admin -> SERVICES -> Decoder(The problematic one) -> Explore"
3. Then go to "decoder -> parsers -> feeds" on the let panel
4. Click the dynamic_dns.feed and change Feed Enabled(feed.enabled) to "no" from "yes". Below the example screen shot.
Image description
So you should disable this feed refer to the following step:
1. Log in to NetWitness UI
2. Go to "Admin -> SERVICES -> Decoder(The problematic one) -> Explore"
3. Then go to "decoder -> parsers -> feeds" on the let panel
4. Click the dynamic_dns.feed and change Feed Enabled(feed.enabled) to "no" from "yes". Below the example screen shot.
Image descriptionNotes
If the issue persists after the steps above is performed, contact NetWitness Support and quote this article number for further assistance.
In this article
