.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness Logs and Network: Packet Decoder - Increasing MTU and setting snaplen when using 10G card with pf_ring service
Issue
Need to set MTU and snaplen differently for appliances that have 10G card using pf_ring.For appliances not using 10G card can use:
MTU - KB #000034177 - How to set the MTU size on RSA Netwitness appliances 10.x
Snaplen - KB #000026720 - How to set correct capture packet/frame size (snaplen) on RSA NetWitness decoders when data is missing from end of packets
Note: The 2 techniques for calculating snaplen in KB #000026720 don't work when pf_ring is being used due to reliance on tcpdump
Symptoms of needing to increase MTU to support Jumbo Frames:
A packet decoder showing lots of errors on the interface. The 'rx_long_length_errors' relates to receiving jumbo frames.
#
ethtool -S p2p2 | grep rx_long_length_errors
rx_long_length_errors: 7294031336
Re-running above command shows the number increasing.
rx_long_length_errors: 7294031336
Resolution
To increase MTU and set snaplen in decoder service
1) Check the capture interface by looking at the received traffic (RX packets) in `ifconfig -a` output
This may be something like p2p1 or em3 (em1 will likely be the management interface which can be ignored)
#
ifconfig -a
2) Confirm interface is a 10G card
#
ethtool p2p1 | grep -m1 10000
Example Output of 10G interface:
10000baseT/Full
Note: A 1G interface will return no output for above command.
3) Check which interfaces are patched
Example of patched interface:
#
ethtool p2p1 | grep 'Link detected'
Example output of patched interface:
Link detected: yes
Example output of non-patched interface:
Link detected: no
-------------------------------------------------------------
If you have both 10G ports patched skip to section B. below
Section A. Configuration on 10G Fiber Card where only single port is patched
Note: In following examples will assume this is p2p1
4) Add MAC addresses to new file
For NetWitness 10.X versions you can make use of facter output
#
printf "%s 8192\n" "$(facter macaddress_p2p1)" > /etc/pf_ring/mtu.conf
Note: Due to _ character you may need to retype command manually rather than copy and paste.
End result in /etc/pf_ring/mtu.conf will look like:
00:1B:21:9B:1D:DD
8192
For NetWitness 11.X versions you need to copy MAC from ifconfig -a manually into /etc/pf_ring/mtu.conf and append MTU value.
5) In Explore mode edit /decoder/config/capture.device.params (Capture Device Parameters)
BEFORE:
device=zc:p2p1
AFTER:
snaplen=8192 device=zc:p2p1
Note: Value will turn red indicating service restart required.
6) Add MTU to /etc/sysconfig/network-scripts/ifcfg-* file
e.g. Add the following line to the bottom of /etc/sysconfig/network-scripts/ifcfg-p2p1
MTU="8192"
Note: Make sure that capture interfaces have the following (only the management interface should have ONBOOT=yes)
ONBOOT=no
7) Stop capture in System page of decoder service
8) Stop decoder service
#
stop nwdecoder
9) Uninstall pf_ring RPM (optional if 'device=' part of capture.device.params has remained the same)
Hint: Check whether pfring package is currently available in NW yum repository prior to removing package (otherwise next step will fail)
#
repoquery pfring
To uninstall RPM:
#
yum remove pfring
10) Re-install pf_ring RPM to re-insert module into kernel (optional if 'device=' part of capture.device.params has remained the same)
#
yum install pfring
11) Reboot OS
#
shutdown -r now
or
#
reboot
-------------------------------------------------------------
Section B. Configuration on 10G Fiber Card where both ports are patched
Note: In following examples will assume this is p2p1 & p2p2
4) Add MAC addresses to new file
For NetWitness 10.X versions you can make use of facter output
#
printf "%s 8192\n" "$(facter macaddress_p2p1)" >> /etc/pf_ring/mtu.conf
# printf "%s 8192\n" "$(facter macaddress_p2p2)" >> /etc/pf_ring/mtu.conf
Note: Due to _ character you may need to retype command manually rather than copy and paste.
# printf "%s 8192\n" "$(facter macaddress_p2p2)" >> /etc/pf_ring/mtu.conf
End result in /etc/pf_ring/mtu.conf will look like:
00:1B:21:9B:1D:DD 8192
00:1B:21:9B:1D:DC 8192
00:1B:21:9B:1D:DC 8192
For NetWitness 11.X versions you need to copy MAC from ifconfig -a manually into /etc/pf_ring/mtu.conf and append MTU value.
5) In Explore mode edit /decoder/config/capture.device.params (Capture Device Parameters)
BEFORE:
capture=zc:p2p2,zc:p2p1
AFTER:
snaplen=8192 capture=zc:p2p2,zc:p2p1
Note: Value will turn red indicating service restart required.
6) Add MTU to /etc/sysconfig/network-scripts/ifcfg-* file
e.g. Add the following line to the bottom of /etc/sysconfig/network-scripts/ifcfg-p2p1 and /etc/sysconfig/network-scripts/ifcfg-p2p2
MTU="8192"
7) Stop capture in System page of decoder service
8) Stop decoder service
#
stop nwdecoder
9) Uninstall pf_ring RPM (optional if 'device=' part of capture.device.params has remained the same)
Hint: Check whether pfring package is currently available in NW yum repository prior to removing package (otherwise next step will fail)
#
repoquery pfring
To uninstall RPM:
#
yum remove pfring
10) Re-install pf_ring RPM to re-insert module into kernel (optional if 'device=' part of capture.device.params has remained the same)
#
yum install pfring
11) Reboot OS
#
shutdown -r now
or
#
reboot
Warning: It is recommended to monitor for packet drops after increasing snaplen.
Product Details
RSA Product Set: NetWitness Logs and Network (Security Analytics)RSA Version/Condition: 10.5.x, 10.6.x, 11.x
Platform: CentOS
O/S Version: 6, 7
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue