Article Number
000001586
Applies To
RSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.6.2, 10.6.3, 10.6.4, 10.6.5, 11.x
Platform: CentOS
O/S Version: 6
Issue
After upgrading to RSA Security Analytics 10.6.2 / 11.x, the VLAN tags are no longer being captured.
Image description
Cause
Although the root cause has not yet been confirmed, it is suspected that the issue might be with the linux kernel.
uname -r
2.6.32-642.6.2.el6.x86_64
rpm -qa | grep pfring
pfring-6.0.3-8598.2.6.32.642.6.2.el6.x86_64
Above issue is only for Packet Decoders using 10G capture and PFRING driver.
For reference on setting VLAN Fixup configurations (starting on v10.6.3) using packet_mmap capture, please refer to the below article in RSA Link:
https://community.rsa.com/docs/DOC-80858 - Decoder: (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface
NOTE: VLAN Fixup settings is only for mmap, not pfring.
Resolution
Workaround
The workaround is to set
rxvlan off and
rx-vlan-filter off on the affected interfaces using ethtool as shown in the example below.
ethtool -K eth4 rxvlan off
ethtool -K eth5 rxvlan off
ethtool -K eth4 rx-vlan-filter off
ethtool -K eth5 rx-vlan-filter off
To make the changes permanent and persistent upon reboots, add the below lines in the /etc/sysconfig/network-scripts/ifcfg-<interface_name>:
DEVICE=<interface_name>
ONBOOT=yes
NM_CONTROLLED=no
ETHTOOL_OPTS="-K${DEVICE}rxvlan off;-K${DEVICE}rx-vlan-filter off"
NOTE: Must ensure that above lines are added once in the affected network interface\s scripts after each upgrade/update
To confirm the configuration changes persist after reboot:
ethtool -k <interface_name>|grep -i vlan
Sample output:
rx-vlan-offload: off
tx-vlan-offload: on
rx-vlan-filter: off
vlan-challenged: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]