000026720 - How to set correct capture packet/frame size (snaplen) on RSA NetWitness decoders when data is missing from end of packets

Document created by RSA Customer Support Employee on Aug 17, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026720
Applies ToRSA Product Set: Security Analytics, NetWitness
RSA Product/Service Type: Decoder
RSA Version/Condition: 9.6.x and above
IssueHow to set correct capture packet/frame size (snaplen) on RSA NetWitness decoders when data is missing from end of packets.
How to fix the snaplen on a Security Analytics decoder appliance when captured traffic appears to be missing a certain number of bytes at the end of captured packets.
1.  Determine the correct snaplen for your capture interfaces using this simple one-liner command.  It will simply display the largest packet size seen per lines output from tcpdump, from smallest to largest.  Allow it to run for several minutes before stopping with CTRL-C.  The last number seen will be the largest frame size seen by the network interface. Substitute the correct interface number for X.
tcpdump -enni ethX | perl -n -e '$maxlen=0 if ! defined $maxlen;s/length (\d+)\://;my $len=$1;if ($len > $maxlen) {$maxlen=$len;print "$maxlen\n";}'
2.  Follow all steps after step 2 from Solution 2, below.


1.  Determine the correct snaplen for your capture interfaces using the nwsnaplen.pl utility attached to this solution.  Copy the file to your appliance and make it executable with chmod +x nwsnaplen.pl

Usage: ./nwsnaplen.pl [OPTIONS]
Utility to calculate correct snaplen for traffic being captured.  'tcpdump' must be installed.
   -i <interface> - Mandatory switch to specify which interface to capture from. Use this command to determine capture interface: watch -d 'netstat -in'
   -l <limit>      - Optional limit for framesize.  Default is no limit.  This in effect adds 'and len <= <limit>' to the end of the libpcap filter.  Useful for finding frame sizes smaller than the largest frame on your network

   -s <size>      - Optional framesize to start with.  Default is 1500
   -t <time>      - Optional Time (in seconds) to wait for a larger frame size.  Once exceeded, the script will complete.  Default is 30 seconds
Output will look as such:

# ./nwsnaplen.pl -i eth1 -t 60

RSA NetWitness snaplen utility

Version 2012.03.01

Running with time limit of 60 seconds of no received traffic per iteration

Trying 1500 bytes

Trying 1501 bytes

Trying 1502 bytes

Trying 1503 bytes

Trying 1504 bytes

Trying 1505 bytes

Trying 1506 bytes

Trying 1507 bytes

Trying 1508 bytes

Trying 1509 bytes

Trying 1510 bytes

Trying 1511 bytes

Trying 1512 bytes

Trying 1513 bytes

Trying 1514 bytes

2.  Connect to your Decoder service in NetWitness Administrator.  If you are using SA from the GUI click Administration > Service.
3.  Right-click on the Decoder and select Explorer. For SA users after you right-click the Decoder under the Action column, select View > Explorer
4.  Navigate to /decoder/config/
5.  Type
snaplen=1514 in capture.device.params parameter field, where 1514 is the number produced by the script. (note: you cannot just type a number, for example 1514 in that field!).
IMPORTANT NOTE:  The higher the snaplen value, the higher the potential for performance impact to your Decoder.  Consider this when setting a high snaplen value, like for instance with jumbo frames.  Or to put it another way, if a large snaplen size causes a significant increase in Decoder packet drops, it may be desirable to set the snaplen to a lower value than the largest frame size on your network if the majority of traffic is not of a large frame size.  To find a value lower than your largest frame size, use the -l command line parameter in nwsnaplen.pl (described above).
6.  Navigate to the console tab of your Decoder in Administrator and enter the following command:
/sys save
For SA users a service restart will be require for the change to take affect so just continue to the next step.

7.  Stop capture.
8.  Restart the Decoder service.



If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
NotesPlease also refer to Fragmented packets/frames are being merged prior to capture in RSA NetWitness Decoder and Hybrid appliances for additional information on how to check and disable Generic Receive Offload (GRO) in your NIC driver in order to reduce the snaplen value.



Legacy Article IDa59779