000017727 - RSA Security Analytics 10.3 SP3 packet decoder drops packets when database hashing is enabled

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017727
Applies ToRSA Security Analytics
RSA Security Analytics 10.3.3
RSA Security Analytics Decoder
IssueRSA Security Analytics 10.3 SP3 packet decoder drops packets when database hashing is enabled.

After upgrading to RSA Security Analytics 10.3 SP3, the decoder begins dropping packets.

In Stats page of decoder service, Total Dropped is increasing and loss is > 0% currently.


Can monitor packet drops in decoder service's Explore mode.

In the Explore view for the decoder service, navigate to /decoder/stats.

  • capture.dropped is increasing [full path: /decoder/stats/capture.dropped]
  • capture.dropped.percent is > 0 [full path: /decoder/stats/capture.dropped.percent]
CauseThere are many possible causes.

In Security Analytics 10.3 SP3, if database hashing is currently enabled there is a bug where on service restart, the integrity.flush always resets back to the value of sync.
This is resolved in Security Analytics 10.3 SP4.

Confirming database hashing is enabled:
In the Explore view for the decoder service, navigate to /database/config/.
If hash.algorithm is none then service is not hashing DB [full path: /database/config/hash.algorithm]
If hash.algorithm is md5 then database hashing is enabled.

Confirming that packet drops are due to integrity.flush setting
To temporarily change the value of integrity.flush and restart packet capture (without restarting service) to see if drops continue to occur:
In the Explore view for the decoder service, navigate to /database/config/
If integrity.flush=sync then change this back to the value of normal

/database/config/integrity.flush=sync
becomes
/database/config/integrity.flush=normal
ResolutionTo resolve the issue, either upgrade to Security Analytics 10.3 SP4 or disable database hashing if not absolutely necessary.

Disabling database hashing:
In explore mode set /database/config/hash.algorithm to none
Legacy Article IDa67208

Attachments

    Outcomes