Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000029189 - Error message "Event contains a number of packets greater than 100, unable to reconstruct the event" in RSA Security Analytics

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000029189
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: Security Analytics UI
Issue	When trying to reconstruct a session of greater than 100 packets in the Investigation module, an error similar to the following is displayed: This event contains <a number of packets greater than 100>. In order to reconstruct the event the number of packets processed is being limited to 100.
Cause	Packets are set to 100 by default in the UI in Reconstruction Settings. Both the number of packets and the size of the packets in Investigator reconstruction may be increased, but should be done sparingly, as increasing this parameter may have adverse performance implications (as noted in the UI for the setting).
Resolution	To make the change, follow the steps below. Log into the Security Analytics UI as an administrative user. Click on Administration > System, then select Investigation from the left hand navigation panel. In the middle pane, locate Reconstruction Settings. Notice Max Packets is set to 100. Change the Max Packets to the desired value. Click Apply.

Attachments

Outcomes

0 Comments

Recommended Content