000026805 - How to configure an Intel 10 Gigabit capture card for use in an RSA Security Analytics or RSA NetWitness decoder

Follow the steps below to configure the  capture card on the decoder appliance.
1.  Check the kernel version of your appliance with the uname -a command.  It should display the kernel version or higher that is shown in the following example:
CentOS 6:
[root@decoder ~]# uname -a
Linux decoder 2.6.32-220.17.1.el6.x86_64 #1 SMP Wed May 16 00:01:37 BST 2012 x86_64 x86_64 x86_64 GNU/Linux
CentOS 5:
[root@decoder ~]# uname -a
Linux decoder 2.6.18-274.3.1.el5 #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
If the version seen is below the versions above, you must update your CentOS 5 Kernel using KB article How to perform a Kernel 2.6.18-274.3.1 upgrade for CentOS-based RSA NetWitness appliances or update the CentOS6 Kernel using KB article How to perform a CentOS 6 kernel upgrade to 2.6.32-358.18.1 and update network drivers.  
For additional drivers on newer kernel versions, please see those listed below. If the version of driver you need is not listed, please contact RSA NetWitness Support for an updated driver.
Once you have confirmed that the kernel is now at the updated version by running uname -a again, you can proceed.

2.  Within the Security Analytics UI or the NetWitness Administrator thick client, check the Capture Interface.

Alternatively you can check which interface is capturing traffic by examining which interfaces have the greatest amount of rx traffic using the following command:  ifconfig -a

The remainder of this article will assume that eth4 is the capture interface. If ifconfig -a shows capture interface is eth0 then replace all following instances of eth4 & eth5 with eth0 & eth1.

3.  Within the Security Analytics UI or the NetWitness Administrator thick client, stop capture on the decoder.

4.  Stop the Decoder service with one of the commands below, based on the CentOS version on the appliance.
CentOS 6:
stop nwdecoder
CentOS 5:
monit stop nwdecoder

5.  Disable the ixgbe interfaces with the commands below, assuming they are eth4 and eth5.  (This can be confirmed using the dmesg command.)

ifconfig eth4 down

ifconfig eth5 down

   (Note:  Fiber Cards from NetWitness use dual ports, They would use eth2 and eth3)

6.  Install the appropriate rpm package attached to this solution (found in the section below) with the following commands:

rpm -ivh ixgbe_3.12.6-1_kernel_2.6.32-220.17.1.el6.x86_64.rpm
OR to upgrade the driver (if an older ixgbe driver is already installed):

rpm -Uvh ixgbe_3.12.6-1_kernel_2.6.32-220.17.1.el6.x86_64.rpm

7.  Unload the default ixgbe driver with the following command:  rmmod ixgbe

8.  Load the new ixgbe driver with the following command:  modprobe ixgbe

9.  Increase the memory allocated to network receives with the following commands:
ethtool -G eth4 rx 4096

ethtool -G eth5 rx 4096

10.  To permanently set RX ring size, you must add entries to the /etc/rc.local file as shown below.  Again, this assumes that the ixgbe interfaces are eth4 and eth5:
echo "/sbin/ethtool -G eth4 rx 4096" >> /etc/rc.local

echo "/sbin/ethtool -G eth5 rx 4096" >> /etc/rc.local

11a.  To avoid unforeseen issues with the new driver, it is recommended at this point that you completely shutdown and power-cycle your Decoder to allow the new firmware provided by the driver to take effect.

shutdown -h now

OR

11b.  If you do not wish to power-cycle at this time, restart the network services

service network restart

Perform Step 12 before performing the next step of restarting decoder service.

CentOS 6:
start nwdecoder
CentOS 5:
monit start nwdecoder

Wait until decoder service has fully initialized.

12. Using KB article Fragmented packets/frames are being merged prior to capture in RSA NetWitness Decoder and Hybrid appliancesFragmented packets/frames are being merged prior to capture in RSA NetWitness Decoder and Hybrid appliances, disable generic-receive-offload (GRO) from interface prior to calculating snaplen

13. Using KB article How to set correct capture packet/frame size (snaplen) on RSA NetWitness decoders when data is missing from end of packets, configure the the appropriate snapshot length (snaplen) of your Decoder as it by default only uses a snaplen of 1500 bytes.

14. If you performed step 11b rather then step 11a (OS restart), you may need to reselect the capture interface in decoder's configuration.

15.If after starting the decoder service, significant drops begin to occur at the interface level, contact RSA Support for additional assistance.  Some interface-level drops are normal at high traffic capture rates.

ifconfig -a (excerpt):

eth4      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX

          UP BROADCAST RUNNING MULTICAST  MTU:16110  Metric:1

          RX packets:346809339389 errors:0 dropped:238389507 overruns:0 frame:0

          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:112735336786910 (102.5 TiB)  TX bytes:468 (468.0 b)

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

EL6: a59787ixgbe_3.12.6-1_kernel_2.6.32-220.17.1.el6.x86_64.rpm

EL5: a59787ixgbe_3.12.6-1_kernel_2.6.18-274.3.1.el5.x86_64.rpm

If your kernel version is different from those mentioned above, please select the appropriate driver from the list below.

EL6 -358-6:   a59787ixgbe-3.15.1-6_kernel_2.6.32-358.6.1.el6.x86_64.rpm

EL6 -358-11:  a59787ixgbe-3.15.1-11_kernel_2.6.32-358.11.1.el6.x86_64.rpm

EL6 -358-18:  a59787ixgbe-3.15.1-18_kernel_2.6.32-358.18.1.el6.x86_64.rpm