Skip to content
  • There are no suggestions because the search field is empty.

Unable to initialize capture with a new 10g card on an RSA Security Analytics Decoder

Issue

A 10g fiber card has just been added to a Security Analytics decoder.  When attempting to capture on the decoder, the following error is observed in /var/log messages, and capture will not start:
 
[PFRing] [failure] Failed to create cluster [PFRing] [failure] Throw in function virtual void nw::
{anonymous}::CaptureDevicePFRINGZC::open(size_t, nw::uint32, const string&)Dynamic exception type:
boost::exception_details:clone_implstd::exception::what: Failed to create cluster105,
No buffer space available” [boost::errinfo_at_line_*]=322

 
 
This occurs even after confirming that the card is present using the lspci command, and that cards are present under the pf_ring driver with the lsmod command.

The pf_ring driver shows in lsmod, and a tcpdump shows traffic.

Cause

The issue occurs because the pf_ring driver RPM was installed out of order with a BIOS or other OS update.


Resolution

To resolve the issue, follow the steps below.
yum install pfring
  1. Connect to the Decoder appliance via SSH as the root user.
  2. Uninstall the pf_ring driver.
  3. RSA Security Analytics 10.6.x:
    rpm -e pfring
    RSA NetWitness 11.4.x:
    rpm -e pfring-dkms
  4. Remove the /etc/pf_ring directory (if it still exists) 
  5. Reboot the Decoder appliance.
    reboot
  6. Re-install the pf_ring driver. RSA Security Analytics 10.6.x
    yum install pfring
    RSA NetWitness 11.4.x:
    yum install pfring-dkms
  7. Reboot the appliance again.
  8. From the Security Analytics UI, perform the following sequence:
    1. ​From the Decoder's Explore view, right-click decoder and select Properties.
    2. In the properties drop-down menu, select reconfig,
    3. Enter the following parameters:
      update=1 op=10g
    4. Click the Send button.
  9. ​Restart the nwdecoder service from the command-line. RSA Security Analytics 10.6.x
    restart nwdecoder
    RSA NetWitness 11.4.x
    systemctl restart nwdecoder

If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Decoder
RSA Version/Condition: 10.6.x, 11.4.x
Platform: CentOS
O/S Version: EL6

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue