.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
You may see the following message from /var/log/messages if there is packet drop issue.
[Packet] [warning] Packet drops encountered, packet capture (9815/9817): check capture configuration, packet sizes and rates
The above message means that packet pool usage is extremely high.
9815/9817 implies that the pool capacity is 9817, and 9815 out of it is consumed.
This implies that pool capacity is almost full and the service would drop packets with the incoming rate.
You may also observe the following logs through further investigation.
[Packet] [warning] Packet drops encountered, packet assemble (9000/9000): check session pool (following log), line and session rates
[Packet] [warning] Packet drops encountered: packet (c/w/a/e) 0/0/9000/0; session (e/a/p/id/ex/ev/w/in/s) 7009/2535/0/0/1/0/0/0/0
[Packet] [warning] Packet drops encountered, packet assemble (8998/9000): check session pool (following log), line and session rates
[Packet] [warning] Packet drops encountered: packet (c/w/a/e) 2/0/8998/0; session (e/a/p/id/ex/ev/w/in/s) 7228/2314/0/0/1/1/0/0/0
[Packet] [warning] Packet drops encountered, packet assemble (9000/9000): check session pool (following log), line and session rates
[Packet] [warning] Packet drops encountered: packet (c/w/a/e) 0/0/9000/0; session (e/a/p/id/ex/ev/w/in/s) 7009/2535/0/0/1/0/0/0/0
[Packet] [warning] Packet drops encountered, packet assemble (8998/9000): check session pool (following log), line and session rates
[Packet] [warning] Packet drops encountered: packet (c/w/a/e) 2/0/8998/0; session (e/a/p/id/ex/ev/w/in/s) 7228/2314/0/0/1/1/0/0/0
[Packet] [warning] Packet drops encountered, packet assemble (9000/9000): check session pool (following log), line and session rates
Resolution
As the logs suggest, the cause of the packet drops would be the session and packet pool values and the high incoming rates.You need to check whether all the values under /decoder/config are properly configured or not.
You can get the recommended values by using "reconfig" in Explore > decoder as shown below.
In this case, the assembler.session.pool and pool.session.pages values were configured 1/5th the recommended value.
Note) Restart decoder service is required to reflect the change.
You can also refer the following URL for further packet drop issue analysis which is written by CE.
https://wiki.na.rsa.net/pages/viewpage.action?pageId=136874872
Internal Comments
Updated resolution details.
Product Details
RSA Product Set: RSA NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 10.x / 11.x
Platform: CentOS
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue