Skip to content
  • There are no suggestions because the search field is empty.

Security Analytics 10.4 and higher: PCAP extracts running for more than 30 minutes appear to complete but produce a 0 byte file

Issue

It has been observed that in 10.4.1 and higher, PCAP extracts for periods greater than 30 minutes fail to produce pcap files.

When clicking Administration \ System => Jobs and Profile => Jobs
Although the pcap shows as "available" and "completed", the pcap file size is 0 bytes.

Additionally, the SA Query levels have been set to greater than 30 minutes, verified by:  

In SA 10.5: the 'SA Core Query Timeout'
- for user in Administration \ Security \ Users Tab in the Attributes section is greater than 30 minutes.
- user's group in Administration \ Security \ Roles Tab is greater than 30 minutes.
- for user in service security of concentrator and decoder services in Administration \ Services -> select \ Security \ Users Tab is greater than 30 minutes.

For SA 10.4: the 'SA Core Query Level'
- for user in Administration \ System \ Security \ Users Tab in the Attributes section is a level which can run for more than 30 minutes i.e. 1 or 2 by default
- user's group in Administration \ System \ Security \ Roles Tab is a level which can run for more than 30 minutes.
For SA 10.4, the 'Query Level' is one that
-  for user in service security of concentrator and decoder services in Administration \ Services -> select \ Security \ Users Tab is a level which can run for more than 30 minutes.

NOTE:
Default SA 10.4 and earlier Query Levels as defined in /sdk/config
query.level.1.minutes=60
query.level.2.minutes=40
query.level.3.minutes=20

Cause

This limitation has been put in place by design since the introduction of SA 10.4, and exists to limit the number of SA threads a pcap file may consume.  The SA extractPCAP call waits for up to 30 minutes, then automatically cancels any packets call.  This prevents system performance issues in the SA UI.  

Workaround

The following workaround can be used but only with the understanding that this can introduce a performance issue and should be done so only after understanding the risks associated with the procedure.  Increasing the carlos timeout can hamper jetty performance.  Make a backup copy of the /etc/default/jetty file BEFORE editing.

1. cp /etc/default/jetty /etc/default/jetty.bak
2. Edit /etc/default/jetty on the SA server to specify sa.carlos.message.long.timeout to override the 30 minute default to add a longer timeout:
3. On the first JAVA_OPTIONS append the following string before end quote ("):
-Dsa.carlos.message.long.timeout=3600000

4. Restart jettysrv
stop jettysrv
start jettysrv



Notes

Warning: Potential system performance impact if this workaround is implemented.  Monitor performance closely and revert the change should advserse performance be noticed.

Product Details

RSA Product Set: NetWitness
RSA Product/Service Type: NetWitness UI, NetWitness Admin, Concentrator, Packet Decoder
RSA Version/Condition: 10.4.1 and higher
Platform: CentOS7 

Approval Reviewer Queue

Technical approval queue