Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Decoder: (Optional) Multiple Adapter Packet Capture

Document created by RSA Information Design and Development Employee on Sep 8, 2020Last modified by RSA Information Design and Development Employee on Nov 24, 2020
Version 4Show Document
  • View in full screen mode
 
 

Beginning with 11.5, the Network Decoder can capture from multiple interfaces simultaneously. This functionality allows Network Decoders to capture from multiple physical Network Interface Cards (NICs), or multiple ports on multiple interfaces, while leveraging the same network rules, application rules, and parsers for each NIC. The benefit of capturing from multiple physical NICs is that this method multi-threads the capture process for each adapter interface, which also multi-threads network rule evaluation.

For example, prior to 11.5, defining capture.interface=PFRINGZC, em3 along with capture.device.params=device=zc:em3,zc:em4 allocated a single thread for the Network Decoder to capture any traffic that came into either em3 or em4 interfaces. This also meant that all network rules were evaluated in a single thread.

However, in 11.5, configuring capture.interface=PFRINGZC,em3; PFRINGZC,em4 allocates two threads for the Network Decoder to capture the traffic collected on either em3 or em4, which provides more resources to the capture pipeline.

In this topic, the term "adapter" refers to a capture device within the Decoder. An adapter's name consists of the device (for example, the software API that the Decoder uses to interact with an adapter), and an interface (the physical device). A device can have multiple interfaces, and an interface can be compatible with multiple devices.

Configure Multiple Adapter Packet Capture

Note: Changes to capture device configuration do not take effect until service restart.

You can define multiple adapter packet capture for Decoders in the config setting /decoder/config/capture.selected. It accepts a semi-colon separated list of adapters, for example: bpf,en5 (bpf);null_device,Null Capture. This setting can be edited while capture is running, however, the changes do not take effect until the service has been restarted.

You can use the /decoder?msg=select command to select one or more adapters after capture has been stopped, for example: /decoder?msg=select&adapters=1,3,5

Note: As of 11.5, this configuration is not yet available in the decoder > config page. Use the decoder > explore page or the REST API. You can the Explore view by selecting a Decoder in the user interface and going to (actions)> View > Explore. You can access the REST API by opening a browser and specifying the IP address of the host, for example, https://<decoder-ip-address>:50106.

Per Interface Configuration

The /device/config/device.capture.params configuration is a global configuration setting, and is applied to every interface when capture is started.

There is also a configuration setting for individual interfaces, which is /decoder/devices/<devicename>/<interfacename>/config. Currently, the only option available in this configuration setting is capture.params. Any value in this setting will override the global configuration setting.

Stat Nodes

As with configuration, there are per-interface stats and aggregate stats (similar to the global configuration). When there is a single device configured, these stat nodes function as in previous versions. When there is more than one device configured, the stat settings /decoder/stats/capture.device and /decoder/stats/capture.interface read multi.

Per-Interface Stats

The stats for each interface can be found in: /decoder/devices/<devicename>/<interfacename>/stats

The captured stats are:

  • capture.avg.size
  • capture.dropped
  • capture.filtered
  • capture.header.bytes
  • capture.kept
  • capture.payload.bytes
  • capture.received
  • capture.total.bytes
  • pool.packet.captured

Aggregate Stats

The capture stats under /decoder/stats represent an aggregate of the individual interface stats.

In the following table, for example, capture.avg.size is the maximum average size among all the interfaces, where capture.dropped is the total captures that were dropped for all the interfaces.

                                             

capture.rate

SUM

capture.avg.size MAX
capture.dropped SUM
capture.filtered SUM
capture.header.bytes SUM
capture.kept SUM
capture.payload.bytes SUM
capture.received SUM
capture.total.bytes SUM
pool.packet.captured MIN

Import

PCAPs can be imported while capture is running. However, the sourcefile metadata will not be created for imported PCAPs when capture is running. If capture is stopped, the sourcefile metadata is created as in older versions. NWD files can be imported, but not while capture is running. If you attempt to import an NWD file while capture is running, the Decoder returns an error. An active import will block starting and stopping import and capture.

capture.port Meta Key

Each session is given a capture.port meta key which identifies the adapter from which the packets in the session were captured. This meta key can optionally be turned off with the /decoder/config/captureport.meta.enabled option. This meta key is on by default for Network Decoders, and is off by default for Log Decoders.

Note: If you turn the capture.port meta key off, you must perform a capture restart for the change to take affect since this is a configuration change.

Special Devices

The following device has special behavior:

nwimport: This device is not selectable but does have stat and config nodes. The config node for nwimport is ignored.

Packet arrived out of order Message

This message means that the Decoder is seeing old packets. This can be a side-effect of running import while capture is running. This message is usually suppressed at the beginning of import and then unsuppressed at the end. However, packets can still be in the state of being processed even after the upload of the imported file has completed. This means that this warning can be unsuppressed before the processing of the imported packets is completed, which results in displaying this message.

For information about updating Decoder configurations, see the RESTful API User Guide for RSA NetWitness Platform. For information about stopping and restarting capture, see Configure Capture Settings. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

You are here
Table of Contents > Configure Common Settings on a Decoder > Configure Capture Settings > (Optional) Multiple Adapter Packet  Capture

Attachments

    Outcomes