.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness Concentrator's behind number increases rapidly when Decoder's capture rate is 3~5 Gbps
Issue
Concentrator's behind number increases rapidly when Decoder's capture rate is 3~5 Gbps.User cannot investigate recent data.
Cause
Low bandwidth between decoder and concentrator causes this problem.'ethtool
# ethtool <interface> | grep Speed
Speed: 100Mb/s
Speed: 100Mb/s
Below message occur at /var/log/messages.
Dec 16 17:30:26 GP-NWForensic-Con NwConcentrator[63941]: [Bandwidth] [info] Performing bandwidth test to device <ip address of decoder>:50004...
Dec 16 17:30:28 GP-NWForensic-Con NwConcentrator[63941]: [Bandwidth] [info] Received 25 MB at a transfer rate of 11.45 MB/sec or 96.0 Mbps from device '<ip address of decoder>:50004'
Dec 16 17:30:28 GP-NWForensic-Con NwConcentrator[63941]: [Bandwidth] [warning] The bandwidth score of 96.0 Mbps is low and may cause aggregation to fall behind from device '<ip address of decoder>:50004'
The result of 'netspeed' command also displays very low (about 5~10 MB/sec).
Dec 16 17:30:28 GP-NWForensic-Con NwConcentrator[63941]: [Bandwidth] [info] Received 25 MB at a transfer rate of 11.45 MB/sec or 96.0 Mbps from device '<ip address of decoder>:50004'
Dec 16 17:30:28 GP-NWForensic-Con NwConcentrator[63941]: [Bandwidth] [warning] The bandwidth score of 96.0 Mbps is low and may cause aggregation to fall behind from device '<ip address of decoder>:50004'
Resolution
The network administrator should change their network connectivity(switch or hub) between the decoder and concentrator from 100baseT/Full to 1000 or 10000baseT/Full.After changing the connectivity to 1000baseT/Full, netspeed results around 80~90MB/sec.
> netspeed 100MB
Response from compress command: Compression changed from 0 to 0, compression level is 0
Received 97.61 MB at a transfer rate of 97.51 MB/sec or 818 Mbps
Response from compress command: Compression changed from 0 to 0, compression level is 0
Received 97.61 MB at a transfer rate of 97.51 MB/sec or 818 Mbps
The behind count starts to decrease after the network change.
Product Details
RSA Product Set: RSA NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3, 11.4, 11.5
Platform: CentOS
Summary
NetWitness Concentrator's behind number increases rapidly when Decoder's capture rate is 3~5 Gbps.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue