Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Decoder: Start and Stop Data Capture

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Jan 6, 2021
Version 26Show Document
  • View in full screen mode

When a Decoder starts up, it automatically begins aggregating data if Capture Autostart is enabled. When autostart is not enabled, you can start and stop data capture manually.

Note: The Capture Configuration Settings in the Service Config view for a Decoder determine whether Capture Autostart is enabled.

The following figure illustrates commonly used settings on a Decoder. For a quick basic setup with only the required steps, see Decoder and Log Decoder Quick Setup. You may want to stop and start capture at other times, for example, before you shut down the service.

Decoder configuration workflow, with Start and Stop Capture highlighted

To start and stop capture:

  1. Go to (Admin) > Services.
  2. Select a Decoder or Log Decoder service, and select Actions menu  > View > System.
  3. In the toolbar, click Start Capture.

    If the service is a Decoder, it begins capturing packets. If the service is a Log Decoder, it begins capturing logs.

    When packet or log capture is in progress, the option in the toolbar changes to Stop Capture, and the option to upload a file is unavailable.

  4. Whenever you want to discontinue traffic capture on a Decoder, click Stop Capture.

    Packet or log capture ceases, and the option to upload a file to the service is again available.

Note: When you stop the Log Decoder service while capture is running, all events currently in Log Decoder memory will be processed and persisted. Should an issue arise where it is necessary to quickly shutdown the service, use the Services Explore view to stop capture (/decoder stop), passing the parameters flush=false before stopping the Log Decoder service. For further information, see the "Services Explore View" in the Host and Services Getting Started Guide.

Note: If you are utilizing an upstream solution (for example, Ixia) that determines when to send traffic to the Network Decoder based on the state of the capture interface, any traffic sent to the Network Decoder while packet capture is turned off is lost. To prevent this from occurring, you should SSH into the Network Decoder host, manually stop capture, and bring the network interface down by issuing an ifdown command prior to performing an upgrade or other maintenance impacting capture on that Network Decoder. An alternative to this manual process is to configure a third-party monitoring tool to watch the Decoder health and have it communicate with the upstream solution(for example, Ixia) to alter the stream of packets based on a negative change in the health of the Decoder. Refer to your upstream solution provider documentation to confirm if this option is available and the configuration steps.

You are here
Table of Contents > Configure Common Settings on a Decoder > Start and Stop Data Capture