|Applies To||RSA Product Set: Security Analytics, NetWitness NextGen|
RSA Product/Service Type: Decoder
RSA Version/Condition: 10.3.x and below
|Tasks||How to configure an Intel 10 Gigabit capture card for use in an RSA Security Analytics or RSA NetWitness decoder.|
How do I configure my Intel 10 Gigabit capture card for use in a NetWitness Decoder?
This procedure is intended only for RSA NetWitness NextGen decoders and for RSA Security Analytics decoder at version 10.3.x. and below.
For appliances running RSA Security Analytics version 10.4.x, refer to the procedure in the RSA Security Analytics v10.4 10G Decoder Installation Guide.
Follow the steps below to configure the capture card on the decoder appliance.
2. Within the Security Analytics UI or the NetWitness Administrator thick client, check the Capture Interface.
Alternatively you can check which interface is capturing traffic by examining which interfaces have the greatest amount of rx traffic using the following command: ifconfig -a
The remainder of this article will assume that eth4 is the capture interface. If ifconfig -a shows capture interface is eth0 then replace all following instances of eth4 & eth5 with eth0 & eth1.
4. Stop the Decoder service with one of the commands below, based on the CentOS version on the appliance.
5. Disable the ixgbe interfaces with the commands below, assuming they are eth4 and eth5. (This can be confirmed using the dmesg command.)
ifconfig eth4 down
(Note: Fiber Cards from NetWitness use dual ports, They would use eth2 and eth3)
6. Install the appropriate rpm package attached to this solution (found in the section below) with the following commands:
Check 'rpm -qa | grep' to see if ixgbe driver is installed.
If rpm is not installed, the command to install is:
rpm -ivh ixgbe_3.12.6-1_kernel_2.6.32-220.17.1.el6.x86_64.rpm
rpm -Uvh ixgbe_3.12.6-1_kernel_2.6.32-220.17.1.el6.x86_64.rpm
7. Unload the default ixgbe driver with the following command: rmmod ixgbe
8. Load the new ixgbe driver with the following command: modprobe ixgbe
9. Increase the memory allocated to network receives with the following commands:
10. To permanently set RX ring size, you must add entries to the /etc/rc.local file as shown below. Again, this assumes that the ixgbe interfaces are eth4 and eth5:
11a. To avoid unforeseen issues with the new driver, it is recommended at this point that you completely shutdown and power-cycle your Decoder to allow the new firmware provided by the driver to take effect.
shutdown -h now
11b. If you do not wish to power-cycle at this time, restart the network services
service network restart
Perform Step 12 before performing the next step of restarting decoder service.
Wait until decoder service has fully initialized.
12. Using KB article Fragmented packets/frames are being merged prior to capture in RSA NetWitness Decoder and Hybrid appliancesFragmented packets/frames are being merged prior to capture in RSA NetWitness Decoder and Hybrid appliances, disable generic-receive-offload (GRO) from interface prior to calculating snaplen
13. Using KB article How to set correct capture packet/frame size (snaplen) on RSA NetWitness decoders when data is missing from end of packets, configure the the appropriate snapshot length (snaplen) of your Decoder as it by default only uses a snaplen of 1500 bytes.
14. If you performed step 11b rather then step 11a (OS restart), you may need to reselect the capture interface in decoder's configuration.
15.If after starting the decoder service, significant drops begin to occur at the interface level, contact RSA Support for additional assistance. Some interface-level drops are normal at high traffic capture rates.
ifconfig -a (excerpt):
eth4 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
If your kernel version is different from those mentioned above, please select the appropriate driver from the list below.
|Legacy Article ID||a59787|