Hi i am getting some incomplete sessions sent to our packet decoders by our taps but I don't know how big the issue is.
There are no packet drop messages being recorded in /var/log/messages on the decoder, so I suspect that the network taps are not forwarding us all the packets. Alternatively it could be that the network taps themselves are not seeing all the packets.
Is there anyway to detect missing packets in a session with Newitness?
How are you discovering/determining the incomplete sessions at the moment? Is session reconstruction failing?
The only idea that comes to mind is to show the session reconstruction log and compare what it says should be the total packet count vs. what show up in the View Packets event reconstruction window:
Hi I am discovering the incomplete sessions in a few ways:
- Extracting packet captures and then viewing in wireshark which shows them as "packets missing"
-The pcaps are exported to another system and dont appear as it is less tolerant of packets missing than Netwitness
-User reports that they are unable to view in Reconstruction View
These hint that I have a problem, I have enough evidence that there is an issue, but I don't know how large the issue actually is.
If I am remembering correctly, Wireshark will display a "--[missing packet]--" label in the "Follow TCP Streams" view. This is a label placed by Wireshark and not something within the pcap/traffic. I am not aware of such a feature in NetWitness during packet collection.
We had such an issue in the past and how we ran our test was to send a ping regularly (once per minute) to one of our IP that would be seen by the tap and then checked NW to see how many packets we got over an hour (expect to see 60 pings).
The other issue we had before was an issue with TCP offloading on the capturing NIC cards and were having similar issues David described in his post about snippet of packets missing (seen in Wireshark) and unable to reconstruct files.
I'm not aware of any method for using NetWitness directly to detect packet loss, but it might be worth running wireshark before the TAP, even just a Rasberry Pi or a laptop to grab a packet stream and compare the results. That should rule out whether it's the TAP or a problem further down the line.
Having that capability and solution available can be useful in IR also as you can quickly deploy a pcap solution ad-hoc to support investigations such as this.