000032773 - The capture rate of RSA Security Analytics Decoder is stuck at the previous rate when the 10G NIC card stops receiving packets

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032773
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueWhen a packet decoder with a 10G NIC capture interface starts to receive no packets due to shutting down the TAP/Switch port or removing the network cable, the decoder's stat still shows the previous capture rate instead of displaying the current capture rate of 0.
 
CauseThis issue is due to the way the pfring API was designed (part of the 10G card driver API).
If there are no packets coming in, the capture thread will block so the capture rate will stay same.
 
WorkaroundThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.
However, there is currently no ETA for the fix as it requires the vendor to update their driver API.
NotesA workaround for the issue is to monitor /database/stats/packet.rate instead of /decoder/stats/capture.rate.

Attachments

    Outcomes