000035134 - VLAN ID is not being populated on the Packet Decoder after upgrading to RSA Security Analytics 10.6.2

Document created by RSA Customer Support Employee on May 12, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035134
Applies ToRSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.6.2, 10.6.3, 10.6.4
Platform: CentOS
O/S Version: 6
Product Name: null
Product Description: null
IssueAfter upgrading to RSA Security Analytics 10.6.2 the VLAN tags are no longer being captured.
User-added image
CauseAlthough the root cause has not yet been confirmed, it is suspected that the issue might be with the linux kernel.
uname -r
rpm -qa | grep pfring

WorkaroundThe workaround is to set rxvlan off on the affected interfaces using ethtool as shown in the example below.
ethtool -K eth4 rxvlan off
ethtool -K eth5 rxvlan off