Need to set MTU and snaplen differently for appliances that have 10G card using pf_ring.
For appliances not using 10G card can use:
MTU - KB #000034177 -
How to set the MTU size on RSA Netwitness appliances 10.xSnaplen - KB #000026720 -
How to set correct capture packet/frame size (snaplen) on RSA NetWitness decoders when data is missing from end of packetsNote: The 2 techniques for calculating snaplen in KB #000026720 don't work when pf_ring is being used due to reliance on tcpdump
Symptoms of needing to increase MTU to support Jumbo Frames:A packet decoder showing lots of errors on the interface. The 'rx_long_length_errors' relates to receiving jumbo frames.
# ethtool -S p2p2 | grep rx_long_length_errors
rx_long_length_errors: 7294031336
Re-running above command shows the number increasing.
To increase MTU and set snaplen in decoder service1) Check the capture interface by looking at the received traffic (RX packets) in `ifconfig -a` output
This may be something like p2p1 or em3 (em1 will likely be the management interface which can be ignored)
# ifconfig -a
2) Confirm interface is a 10G card
# ethtool p2p1 | grep -m1 10000
Example Output of 10G interface:
10000baseT/Full
Note: A 1G interface will return no output for above command.
3) Check which interfaces are patched
Example of patched interface:
# ethtool p2p1 | grep 'Link detected'
Example output of patched interface:
Link detected: yes
Example output of non-patched interface:
Link detected: no
-------------------------------------------------------------
If you have both 10G ports patched skip to section B. below
Section A. Configuration on 10G Fiber Card where only single port is patchedNote: In following examples will assume this is p2p1
4) Add MAC addresses to new file
For NetWitness 10.X versions you can make use of facter output
# printf "%s 8192\n" "$(facter macaddress_p2p1)" > /etc/pf_ring/mtu.conf
Note: Due to _ character you may need to retype command manually rather than copy and paste.
End result in /etc/pf_ring/mtu.conf will look like:
00:1B:21:9B:1D:DD 8192
For NetWitness 11.X versions you need to copy MAC from ifconfig -a manually into /etc/pf_ring/mtu.conf and append MTU value.
5) In Explore mode edit /decoder/config/capture.device.params (Capture Device Parameters)
BEFORE:
device=zc:p2p1
AFTER:
snaplen=8192 device=zc:p2p1
Note: Value will turn red indicating service restart required.
6) Add MTU to /etc/sysconfig/network-scripts/ifcfg-* file
e.g. Add the following line to the bottom of /etc/sysconfig/network-scripts/ifcfg-p2p1
MTU="8192"
Note: Make sure that capture interfaces have the following (only the management interface should have ONBOOT=yes)
ONBOOT=no
7) Stop capture in System page of decoder service
😎 Stop decoder service
# stop nwdecoder
9) Uninstall pf_ring RPM (optional if 'device=' part of capture.device.params has remained the same)
Hint: Check whether pfring package is currently available in NW yum repository prior to removing package (otherwise next step will fail)
# repoquery pfring
To uninstall RPM:
# yum remove pfring
10) Re-install pf_ring RPM to re-insert module into kernel (optional if 'device=' part of capture.device.params has remained the same)
# yum install pfring
11) Reboot OS
# shutdown -r now
or
# reboot
-------------------------------------------------------------
Section B. Configuration on 10G Fiber Card where both ports are patchedNote: In following examples will assume this is p2p1 & p2p2
4) Add MAC addresses to new file
For NetWitness 10.X versions you can make use of facter output
# printf "%s 8192\n" "$(facter macaddress_p2p1)" >> /etc/pf_ring/mtu.conf
# printf "%s 8192\n" "$(facter macaddress_p2p2)" >> /etc/pf_ring/mtu.conf
Note: Due to _ character you may need to retype command manually rather than copy and paste.
End result in /etc/pf_ring/mtu.conf will look like:
00:1B:21:9B:1D:DD 8192
00:1B:21:9B:1D:DC 8192
For NetWitness 11.X versions you need to copy MAC from ifconfig -a manually into /etc/pf_ring/mtu.conf and append MTU value.
5) In Explore mode edit /decoder/config/capture.device.params (Capture Device Parameters)
BEFORE:
capture=zc:p2p2,zc:p2p1
AFTER:
snaplen=8192 capture=zc:p2p2,zc:p2p1
Note: Value will turn red indicating service restart required.
6) Add MTU to /etc/sysconfig/network-scripts/ifcfg-* file
e.g. Add the following line to the bottom of /etc/sysconfig/network-scripts/ifcfg-p2p1 and /etc/sysconfig/network-scripts/ifcfg-p2p2
MTU="8192"
7) Stop capture in System page of decoder service
😎 Stop decoder service
# stop nwdecoder
9) Uninstall pf_ring RPM (optional if 'device=' part of capture.device.params has remained the same)
Hint: Check whether pfring package is currently available in NW yum repository prior to removing package (otherwise next step will fail)
# repoquery pfring
To uninstall RPM:
# yum remove pfring
10) Re-install pf_ring RPM to re-insert module into kernel (optional if 'device=' part of capture.device.params has remained the same)
# yum install pfring
11) Reboot OS
# shutdown -r now
or
# reboot
Warning: It is recommended to monitor for packet drops after increasing snaplen.