000032773 - The capture rate of RSA Security Analytics Decoder is stuck at the previous rate when the 10G NIC card stops receiving packets

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support on May 7, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032773
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueWhen a packet decoder with a 10G NIC capture interface starts to receive no packets due to shutting down the TAP/Switch port or removing the network cable, the decoder's stat still shows the previous capture rate instead of displaying the current capture rate of 0.
CauseThis issue is due to the way the pfring API was designed (part of the 10G card driver API).
If there are no packets coming in, the capture thread will block so the capture rate will stay the same.
WorkaroundThis issue should be resolved in Version 11.X of RSA NetWitness. Please update to this release to take advantage of this fix.
NotesIf you are unable to update at this time, the present workaround for the issue is to monitor /database/stats/packet.rate instead of /decoder/stats/capture.rate.