NetWitness Community

Yes

Article Number

000001073

Applies To

RSA Product Set: NetWitness Logs and Network (Security Analytics)
RSA Version/Condition: 10.5.x, 10.6.x, 11.x
Platform: CentOS
O/S Version: 6, 7

Issue

Need to set MTU and snaplen differently for appliances that have 10G card using pf_ring.

For appliances not using 10G card can use:
MTU - KB #000034177 - How to set the MTU size on RSA Netwitness appliances 10.x

Snaplen - KB #000026720 - How to set correct capture packet/frame size (snaplen) on RSA NetWitness decoders when data is missing from end of packets
Note: The 2 techniques for calculating snaplen in KB #000026720 don't work when pf_ring is being used due to reliance on tcpdump

Symptoms of needing to increase MTU to support Jumbo Frames:
A packet decoder showing lots of errors on the interface. The 'rx_long_length_errors' relates to receiving jumbo frames.


# ethtool -S p2p2 | grep rx_long_length_errors
rx_long_length_errors: 7294031336

Re-running above command shows the number increasing.

Resolution

To increase MTU and set snaplen in decoder service
1) Check the capture interface by looking at the received traffic (RX packets) in `ifconfig -a` output
This may be something like p2p1 or em3 (em1 will likely be the management interface which can be ignored)


# ifconfig -a

2) Confirm interface is a 10G card


# ethtool p2p1 | grep -m1 10000

Example Output of 10G interface:


10000baseT/Full

Note: A 1G interface will return no output for above command.

3) Check which interfaces are patched
Example of patched interface:


# ethtool p2p1 | grep 'Link detected'

Example output of patched interface:


Link detected: yes

Example output of non-patched interface:


Link detected: no

-------------------------------------------------------------
If you have both 10G ports patched skip to section B. below

Section A. Configuration on 10G Fiber Card where only single port is patched
Note: In following examples will assume this is p2p1

4) Add MAC addresses to new file
For NetWitness 10.X versions you can make use of facter output


# printf "%s 8192\n" "$(facter macaddress_p2p1)" > /etc/pf_ring/mtu.conf

Note: Due to _ character you may need to retype command manually rather than copy and paste.

End result in /etc/pf_ring/mtu.conf will look like:


00:1B:21:9B:1D:DD 8192

For NetWitness 11.X versions you need to copy MAC from ifconfig -a manually into /etc/pf_ring/mtu.conf and append MTU value.

5) In Explore mode edit /decoder/config/capture.device.params (Capture Device Parameters)
BEFORE:


device=zc:p2p1

AFTER:


snaplen=8192 device=zc:p2p1

Note: Value will turn red indicating service restart required.

6) Add MTU to /etc/sysconfig/network-scripts/ifcfg-* file
e.g. Add the following line to the bottom of /etc/sysconfig/network-scripts/ifcfg-p2p1


MTU="8192"

Note: Make sure that capture interfaces have the following (only the management interface should have ONBOOT=yes)


ONBOOT=no

7) Stop capture in System page of decoder service

😎 Stop decoder service


# stop nwdecoder

9) Uninstall pf_ring RPM (optional if 'device=' part of capture.device.params has remained the same)
Hint: Check whether pfring package is currently available in NW yum repository prior to removing package (otherwise next step will fail)


# repoquery pfring

To uninstall RPM:


# yum remove pfring

10) Re-install pf_ring RPM to re-insert module into kernel (optional if 'device=' part of capture.device.params has remained the same)


# yum install pfring

11) Reboot OS


# shutdown -r now

or


# reboot

-------------------------------------------------------------
Section B. Configuration on 10G Fiber Card where both ports are patched
Note: In following examples will assume this is p2p1 & p2p2

4) Add MAC addresses to new file
For NetWitness 10.X versions you can make use of facter output


# printf "%s 8192\n" "$(facter macaddress_p2p1)" >> /etc/pf_ring/mtu.conf
# printf "%s 8192\n" "$(facter macaddress_p2p2)" >> /etc/pf_ring/mtu.conf

Note: Due to _ character you may need to retype command manually rather than copy and paste.

End result in /etc/pf_ring/mtu.conf will look like:


00:1B:21:9B:1D:DD 8192
00:1B:21:9B:1D:DC 8192

For NetWitness 11.X versions you need to copy MAC from ifconfig -a manually into /etc/pf_ring/mtu.conf and append MTU value.

5) In Explore mode edit /decoder/config/capture.device.params (Capture Device Parameters)
BEFORE:


capture=zc:p2p2,zc:p2p1

AFTER:


snaplen=8192 capture=zc:p2p2,zc:p2p1

Note: Value will turn red indicating service restart required.

6) Add MTU to /etc/sysconfig/network-scripts/ifcfg-* file
e.g. Add the following line to the bottom of /etc/sysconfig/network-scripts/ifcfg-p2p1 and /etc/sysconfig/network-scripts/ifcfg-p2p2


MTU="8192"

7) Stop capture in System page of decoder service

😎 Stop decoder service


# stop nwdecoder

9) Uninstall pf_ring RPM (optional if 'device=' part of capture.device.params has remained the same)
Hint: Check whether pfring package is currently available in NW yum repository prior to removing package (otherwise next step will fail)


# repoquery pfring

To uninstall RPM:


# yum remove pfring

10) Re-install pf_ring RPM to re-insert module into kernel (optional if 'device=' part of capture.device.params has remained the same)


# yum install pfring

11) Reboot OS


# shutdown -r now

or


# reboot

Warning: It is recommended to monitor for packet drops after increasing snaplen.

NetWitness Community

RSA NetWitness Logs and Network: Packet Decoder - Increasing MTU and setting snaplen when using 10G card with pf_ring service

Article Number

Applies To

Issue

Resolution

In this article

NetWitness Community

RSA NetWitness Logs and Network: Packet Decoder - Increasing MTU and setting snaplen when using 10G card with pf_ring service

Article Number

Applies To

Issue

Resolution

In this article

Related Content