Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000035134 - VLAN ID is not being populated on the Packet Decoder after upgrade or updates to RSA NetWitness

Document created by RSA Customer Support

on May 12, 2017•Last modified by RSA Customer Support on Aug 24, 2018

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000035134
Applies To	RSA Product Set: Security Analytics, NetWitness Logs and Packets RSA Product/Service Type: Packet Decoder RSA Version/Condition: 10.6.2, 10.6.3, 10.6.4, 10.6.5, 11.x Platform: CentOS O/S Version: 6
Issue	After upgrading to RSA Security Analytics 10.6.2 / 11.x, the VLAN tags are no longer being captured.
Cause	Although the root cause has not yet been confirmed, it is suspected that the issue might be with the linux kernel. uname -r 2.6.32-642.6.2.el6.x86_64 rpm -qa \| grep pfring pfring-6.0.3-8598.2.6.32.642.6.2.el6.x86_64 Above issue is only for Packet Decoders using 10G capture and PFRING driver. For reference on setting VLAN Fixup configurations (starting on v10.6.3) using packet_mmap capture, please refer to the below article in RSA Link: https://community.rsa.com/docs/DOC-80858 - Decoder: (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface NOTE: VLAN Fixup settings is only for mmap, not pfring.
Resolution
Workaround	The workaround is to set rxvlan off and rx-vlan-filter off on the affected interfaces using ethtool as shown in the example below. ethtool -K eth4 rxvlan off ethtool -K eth5 rxvlan off ethtool -K eth4 rx-vlan-filter off ethtool -K eth5 rx-vlan-filter off To make the changes permanent and persistent upon reboots, add the below lines in the /etc/sysconfig/network-scripts/ifcfg-<interface_name>: DEVICE=<interface_name> ONBOOT=yes NM_CONTROLLED=no ETHTOOL_OPTS="-K${DEVICE}rxvlan off;-K${DEVICE}rx-vlan-filter off" NOTE: Must ensure that above lines are added once in the affected network interface\s scripts after each upgrade/update To confirm the configuration changes persist after reboot: ethtool -k <interface_name>\|grep -i vlan Sample output: rx-vlan-offload: off tx-vlan-offload: on rx-vlan-filter: off vlan-challenged: off [fixed] tx-vlan-stag-hw-insert: off [fixed] rx-vlan-stag-hw-parse: off [fixed] rx-vlan-stag-filter: off [fixed]

Attachments

Outcomes

0 Comments