.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Decoder capture is not starting. By navigating to Decoder->System page, can see "initialization error".
Cause
Incorrect packet.dir value is one of the causes of initialization error which can be tracked as below./var/log/messages:
Apr 14 12:56:50 FDALADCNWSAD-IINET NwDecoder[31562]: [Engine] [failure] Module decoder failed to load: The directory '/var/netwitness/decoder/packetdb0/packetdb' does not exist
Apr 14 12:56:50 FDALADCNWSAD-IINET NwDecoder[31562]: [Engine] [failure] Module decoder failed to load: Diagnostic information: Throw in function void nw::ObjectStoreDatabase
Resolution
Please follow the below steps to resolve the issue.
A. If GUI Explore view accessible:
1. Login to GUI as administrator.
2. Navigate to Administration->Services->Decoder->View->Explore.
3. In the Explore view, Left-hand side, expand database->Config. Right-hand side, packet.dir value can be adjusted according to the customer set up.
- In this particular issue, There will not exist 'packetdb' under /var/netwitness/decoder/packetdb0. Therefore the packet.dir must be modified.
-Use the following as a guide (your scenario may be unique)
(change to)
2. Navigate to Administration->Services->Decoder->View->Explore.
3. In the Explore view, Left-hand side, expand database->Config. Right-hand side, packet.dir value can be adjusted according to the customer set up.
- In this particular issue, There will not exist 'packetdb' under /var/netwitness/decoder/packetdb0. Therefore the packet.dir must be modified.
-Use the following as a guide (your scenario may be unique)
(change to)
4. Restart the service using
restart nwdecoder to take the new values.
B. If GUI Explore view is not accessible:
1. Login to Putty session of decoder.
2. Stop Decoder service using stop nwdecoder command.
3. Run cd /etc/netwitness/ng command to access decoder configuration file.
4. Modify NwDecoder.cfg file using vi editor to adjust packet.dir value.
5. Start decoder service using start nwdecoder command.
2. Stop Decoder service using stop nwdecoder command.
3. Run cd /etc/netwitness/ng command to access decoder configuration file.
4. Modify NwDecoder.cfg file using vi editor to adjust packet.dir value.
5. Start decoder service using start nwdecoder command.
Product Details
Product Set: Security Analytics, NetWitnessProduct/Service Type: SA Core Appliance, SA Packet Decoder, SA Log Decoder
RSA Version/Condition: 11.x/12.X
Platform: CentOS 7 / Alma
Summary
Decoder will not be able to start capture due to initialization error. Incorrect packet.dir value is one of the causes for initialization errors.
Approval Reviewer Queue
Technical approval queue