on Jun 14, 2016Article Content
| Article Number | 000032950 |
| Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: SA Core Appliance, SA Packet Decoder, SA Log Decoder RSA Version/Condition: 10.X |
| Issue | Decoder capture is not starting. By navigating to Decoder->System page, can see "initialization error". |
| Cause | Incorrect packet.dir value is one of the causes of initialization error which can be tracked as below. /var/log/messages: Apr 14 12:56:50 FDALADCNWSAD-IINET NwDecoder[31562]: [Engine] [failure] Module decoder failed to load: The directory '/var/netwitness/decoder/packetdb0/packetdb' does not exist Apr 14 12:56:50 FDALADCNWSAD-IINET NwDecoder[31562]: [Engine] [failure] Module decoder failed to load: Diagnostic information: Throw in function void nw::ObjectStoreDatabase<ObjectStoreT>::initDbStorageNl(const DbStorageLocations&) [with ObjectStoreT = nw::ObjectStoreIndex<nw::PacketData, nw::PacketManifest>; nw::DbStorageLoc |
| Resolution | Please follow the below steps to resolve the issue. A. If GUI Explore view accessible: 1. Login to GUI as administrator. 2. Navigate to Administration->Services->Decoder->View->Explore. 3. In the Explore view, Left-hand side, expand database->Config. Right-hand side, packet.dir value can be adjusted according to the customer set up. - In this particular issue, There will not exist 'packetdb' under /var/netwitness/decoder/packetdb0. Therefore the packet.dir must be modified. -Use the following as a guide (your scenario may be unique)  (change to)  4. Restart the service using restart nwdecoder to take the new values. B. If GUI Explore view is not accessible: 1. Login to Putty session of decoder. 2. Stop Decoder service using stop nwdecoder command. 3. Run cd /etc/netwitness/ng command to access decoder configuration file. 4. Modify NwDecoder.cfg file using vi editor to adjust packet.dir value. 5. Start decoder service using start nwdecoder command. |