This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The capture rate of RSA Security Analytics Decoder is stuck at the previous rate when the 10G NIC card stops receiving packets

Article Number

000001731

Applies To

RSA Product Set: Security Analytics
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6

Issue

When a packet decoder with a 10G NIC capture interface starts to receive no packets due to shutting down the TAP/Switch port or removing the network cable, the decoder's stat still shows the previous capture rate instead of displaying the current capture rate of 0.
 

Cause

This issue is due to the way the pfring API was designed (part of the 10G card driver API).
If there are no packets coming in, the capture thread will block so the capture rate will stay the same.
 

Workaround

This issue should be resolved in Version 11.X of RSA NetWitness. Please update to this release to take advantage of this fix.

Notes

If you are unable to update at this time, the present workaround for the issue is to monitor /database/stats/packet.rate instead of /decoder/stats/capture.rate.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:27 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.