000035134 - VLAN ID is not being populated on the Packet Decoder after upgrade or updates to RSA NetWitness

Document created by RSA Customer Support Employee on May 12, 2017Last modified by RSA Customer Support on Aug 24, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035134
Applies ToRSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.6.2, 10.6.3, 10.6.4, 10.6.5, 11.x
Platform: CentOS
O/S Version: 6
IssueAfter upgrading to RSA Security Analytics 10.6.2 / 11.x, the VLAN tags are no longer being captured.

User-added image
CauseAlthough the root cause has not yet been confirmed, it is suspected that the issue might be with the linux kernel.

uname -r

rpm -qa | grep pfring

Above issue is only for  Packet Decoders using 10G capture and PFRING driver.

For reference on setting VLAN Fixup configurations (starting on v10.6.3) using packet_mmap capture, please refer to the below article in RSA Link:

https://community.rsa.com/docs/DOC-80858  -  Decoder: (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface

NOTE: VLAN Fixup settings is only for mmap, not pfring.


WorkaroundThe workaround is to set rxvlan off and rx-vlan-filter off on the affected interfaces using ethtool as shown in the example below.

ethtool -K eth4 rxvlan off
ethtool -K eth5 rxvlan off
ethtool -K eth4 rx-vlan-filter off
ethtool -K eth5 rx-vlan-filter off

To make the changes permanent and persistent upon reboots, add the below lines in the /etc/sysconfig/network-scripts/ifcfg-<interface_name>:

ETHTOOL_OPTS="-K${DEVICE}rxvlan off;-K${DEVICE}rx-vlan-filter off"

NOTE:  Must ensure that above lines are added once in the affected network interface\s scripts after each upgrade/update

To confirm the configuration changes persist after reboot:

ethtool -k <interface_name>|grep -i vlan

Sample output:
rx-vlan-offload: off
tx-vlan-offload: on
rx-vlan-filter: off
vlan-challenged: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]