Network Monitor SMTP incidents are garbled
search cancel

Network Monitor SMTP incidents are garbled


Article ID: 162270


Updated On:


Data Loss Prevention Network Monitor


When capturing SMTP traffic with Network Monitor we are seeing data that does not belong such as added recipients or subjects.


All supported versions


Improper/dirty/bad traffic, specifically jumbo packets. 


Network Monitor is designed to capture jumbo packets - but is configured to expect fewer of them in the network stream.

We can adjust settings under the Advanced Server Settings and recycle the services to apply the changes.

  1. Confirm the presence of jumbo traffic with a packet capture (Wireshark, TCPDump, etc).
  2. If jumbo packets are present (packets larger than 1514 bytes) determine the largest packet size.
  3. Change PacketCapture.RING_CAPTURE_LENGTH to exceed #2
    • RING_CAPTURE_LENGTH is the largest packet we will capture.
  4. Increase PacketCapture.NUMBER_JUMBO_POOL_PACKETS based on amount of jumbo packets seen. 
    • E.g., If traffic is mostly jumbo packets then set this larger than PacketCapture.NUMBER_BUFFER_POOL_PACKETS.
      • NUMBER_BUFFER_POOL_PACKETS may need to be reduced so as to not overload the network monitor. 
    • E.g., If traffic is a mix then set NUMBER_JUMBO_POOL_PACKETS equal to or less than NUMBER_BUFFER_POOL_PACKETS.
  5. Set PacketCapture.SIZE_JUMBO_POOL_PACKETS to match PacketCapture.RING_CAPTURE_LENGTH.
    • SIZE_JUMBO_POOL_PACKETS determines the largest size a jumbo packet can be
  6. Recycle the services on the network monitor and watch the resource usage.  Depending on resources available and how the monitor was tuned we may overload the box.  If this happens, lower the NUMBER_BUFFER_POOL_PACKETS and NUMBER_JUMBO_POOL_PACKETS.

Once you change the settings and the monitor is stable you can check some new incidents and see if the issue persists.  This should resolve garbled incident issues due to jumbo packets.

Additional Information

Defaults for above settings: