Network Monitor fails to process captured packets .vpcap files.
search cancel

Network Monitor fails to process captured packets .vpcap files.


Article ID: 160767


Updated On:


Data Loss Prevention Data Loss Prevention Network Monitor


On Network Monitor you observe excessive restarts of Filereader, however PacketCapture keeps running and creating .vpcap files under drop_pcap folder. No increase in message count or no incident from Network Monitor.


Data Loss Prevention 15.X, 16.X.


This is very common issue when some bad traffic chokes the filereader process and further inspection/detection would stop. As a result filereader on Network Monitor keeps restarting until we manually remove the bad traffic file. Please follow the below steps to overcome this issue:

1. In this situation drop_pcap folder keeps filling up with .vpcap files under directories have numerical name.

2. We need to manually stop PacketCapture service of Network Monitor from UI console.

3. Once PacketCapture stops you will not get new packet capture file.

4. Move all files/directory from drop_pcap folder to some temporary location. Here you will also find error to move some directories which are locked/used by process. These directories/files are culprit for this issue.

5. To unlock these directories, you need to stop SymantecDLPDetectionServer service on Network Monitor server and either move or delete these directories from drop_pcap. Don't move them to the location where you have all other directories/files. Move them to separate location.

6. Start SymantecDLPDetectionServer service again from server. Restore old files/directories back to drop_pcap folder in batches.

7. Ensure that you see an increase in message count from UI for this network monitor server.

8. If above steps do not assist in resolving the issue, you should open a ticket with support.