000032351 - Unable to initialize capture with a new 10g card on an RSA Security Analytics Decoder

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 16, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032351
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Decoder
RSA Version/Condition: 10.6.x, 11.4.x
Platform: CentOS
O/S Version: EL6
IssueA 10g fiber card has just been added to a Security Analytics decoder.  When attempting to capture on the decoder, the following error is observed in /var/log messages, and capture will not start:

[PFRing] [failure] Failed to create cluster [PFRing] [failure] Throw in function virtual void nw::
{anonymous}::CaptureDevicePFRINGZC::open(size_t, nw::uint32, const string&)Dynamic exception type:
boost::exception_details:clone_implstd::exception::what: Failed to create cluster105,
No buffer space available” [boost::errinfo_at_line_*]=322



This occurs even after confirming that the card is present using the lspci command, and that cards are present under the pf_ring driver with the lsmod command.

The pf_ring driver shows in lsmod, and a tcpdump shows traffic.
CauseThe issue occurs because the pf_ring driver RPM was installed out of order with a BIOS or other OS update.
ResolutionTo resolve the issue, follow the steps below.

yum install pfring

  1. Connect to the Decoder appliance via SSH as the root user.
  2. Uninstall the pf_ring driver.
  3. RSA Security Analytics 10.6.x:

    rpm -e pfring

    RSA NetWitness 11.4.x:

    rpm -e pfring-dkms

  4. Remove the /etc/pf_ring directory (if it still exists) 
  5. Reboot the Decoder appliance.


  6. Re-install the pf_ring driver. RSA Security Analytics 10.6.x

    yum install pfring

    RSA NetWitness 11.4.x:

    yum install pfring-dkms

  7. Reboot the appliance again.
  8. From the Security Analytics UI, perform the following sequence:
    1. From the Decoder's Explore view, right-click decoder and select Properties.
    2. In the properties drop-down menu, select reconfig,
    3. Enter the following parameters:

      update=1 op=10g

    4. Click the Send button.
  9. Restart the nwdecoder service from the command-line. RSA Security Analytics 10.6.x

    restart nwdecoder

    RSA NetWitness 11.4.x

    systemctl restart nwdecoder

If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance.