VLAN ID is not being populated on the Packet Decoder after upgrade or updates to RSA NetWitness

Issue

After upgrading to RSA Security Analytics 10.6.2 / 11.x, the VLAN tags are no longer being captured.

Cause

Although the root cause has not yet been confirmed, it is suspected that the issue might be with the linux kernel. Above issue is only for  Packet Decoders using 10G capture and PFRING driver.

For reference on setting VLAN Fixup configurations (starting on v10.6.3) using packet_mmap capture, please refer to the below article in RSA Link: NOTE: VLAN Fixup settings is only for mmap, not pfring.

Workaround

The workaround is to set rxvlan off and rx-vlan-filter off on the affected interfaces using ethtool as shown in the example below. To make the changes permanent and persistent upon reboots, add the below lines in the /etc/sysconfig/network-scripts/ifcfg- :

DEVICE=<interface_name>
ONBOOT=yes  
NM_CONTROLLED=no 
ETHTOOL_OPTS="-K${DEVICE}rxvlan off;-K${DEVICE}rx-vlan-filter off"

NOTE:  Must ensure that above lines are added once in the affected network interface\s scripts after each upgrade/update

To confirm the configuration changes persist after reboot:

ethtool -k <interface_name>|grep -i vlan

Sample output:
rx-vlan-offload: off
tx-vlan-offload: on
rx-vlan-filter: off
vlan-challenged: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]

Resolution

 

Product Details

RSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.6.2, 10.6.3, 10.6.4, 10.6.5, 11.x
Platform: CentOS
O/S Version: 6

Summary

VLAN ID Tags were missing from network traffic after upgrade or update with 10G Network Card and pfring driver

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue