Three primary reasons that can cause long message wait times.

There are three primary reasons for long message wait times:

1. The Monitor is being asked to do more work than it can handle.

Factors that contribute to this issue include:

• too many policies.
• poorly written policies.
• too much traffic.
• improper settings or configurations on the monitor itself.
   

You can address these issues by tuning system and memory settings on the Monitor, or by adding additional Hardware. Or reducing the amount of policies, and rewriting poorly written policies.

2. The Monitor is being sent incomplete message streams, causing the FileReader and Content Extractor to spend excessive time trying to put together the message components, causing other traffic to queue up.

Contributing factors include discarded or dropped packets at the Endace Card level, Packet Capture Level, or possibly upstream from Symantec DLP entirely, and therefore the message stream is never seen.

The possibility exists that the system is not being sent all of the packets necessary to accurately reassemble TCP streams and extract messages from them. As a result, there are NO tuning or memory settings that can be adjusted to address this problem.

3. Check to see if the correct Network Interface Card is checked in the configuration area of the NIC (or checked at all). If the correct NIC is not checked in the configuration screen, this could lead to confusion for the NIC.