|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.5.x, 10.6.x
O/S Version: EL6
|Issue||When a packet decoder with a 10G NIC capture interface starts to receive no packets due to shutting down the TAP/Switch port or removing the network cable, the decoder's stat still shows the previous capture rate instead of displaying the current capture rate of 0.|
|Cause||This issue is due to the way the pfring API was designed (part of the 10G card driver API).|
If there are no packets coming in, the capture thread will block so the capture rate will stay same.
|Workaround||This issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.|
However, there is currently no ETA for the fix as it requires the vendor to update their driver API.
|Notes||A workaround for the issue is to monitor /database/stats/packet.rate instead of /decoder/stats/capture.rate.|