Article Number
000001731
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
Issue
When a packet decoder with a 10G NIC capture interface starts to receive no packets due to shutting down the TAP/Switch port or removing the network cable, the decoder's stat still shows the previous capture rate instead of displaying the current capture rate of 0.
Cause
This issue is due to the way the pfring API was designed (part of the 10G card driver API).
If there are no packets coming in, the capture thread will block so the capture rate will stay the same.
Workaround
This issue should be resolved in Version 11.X of RSA NetWitness. Please update to this release to take advantage of this fix.
Notes
If you are unable to update at this time, the present workaround for the issue is to monitor /database/stats/packet.rate instead of /decoder/stats/capture.rate.