Hi i am getting some incomplete sessions sent to our packet decoders by our taps but I don't know how big the issue is.
There are no packet drop messages being recorded in /var/log/messages on the decoder, so I suspect that the network taps are not forwarding us all the packets. Alternatively it could be that the network taps themselves are not seeing all the packets.
Is there anyway to detect missing packets in a session with Newitness?
I'm not aware of any method for using NetWitness directly to detect packet loss, but it might be worth running wireshark before the TAP, even just a Rasberry Pi or a laptop to grab a packet stream and compare the results. That should rule out whether it's the TAP or a problem further down the line.
Having that capability and solution available can be useful in IR also as you can quickly deploy a pcap solution ad-hoc to support investigations such as this.