No traffic seen on Network Monitor; packetcapture.log shows - NO NETWORK ADAPTERS FOUND


Article ID: 160056


Updated On:


Data Loss Prevention Network Monitor


On a Windows or Linux based monitor you may run into a problem where no traffic is registered by the Vontu Monitor. This can happen even when the NIC card is working fine and traffic is being correctly received by the NIC.


Relevant Versions:  ALL

This problem can occur on both Windows and Linux based Network Monitors but for different reasons.

If this is seen on a Windows Monitor, it is usually because the packet capture filter driver is not loaded into memory.
Or if the environment has been upgraded

Things to do:

1) Check that the driver is loaded by starting its service. At a command prompt type the following - "net start npf". If the service is not started, the driver is not loaded and Vontu will not capture any traffic.

2) Make sure this driver loads at boot. Use REGEDIT to access the registry and check this key -

The data for the REG_DWORD value "Start" should be set to 1.

If this is seen on a Linux Monitor it is often related to file permissions.

Things to do:

1) The file permissions on /opt/Vontu/Protect/bin/PacketCapture should be root.protect 6755 (setuid/setgid) This starts the process as the root user. If these permissions are changed traffic will not be detected.

2) All other files in /opt/Vontu/Protect/bin should be set to 0755

You can use this command to set the permissions correctly -
chmod 0755 /opt/Vontu/Protect/bin/* && chmod 6755 /opt/Vontu/Protect/bin/PacketCapture

In this case the error in the UI was: “Packet capture could no elevate its privilege level” or “Capture failed to start on eth1”

The error in the Log was: “No driver is available for eth1” or “Failed to start new capture on device eth1: Exception – Could not locate packet driver for device eth1” or “Packet capture could no elevate its privilege level”

Once these changes are made, restart the Vontu Monitor service to reload with the correct permissions.