This only affects packet captures that are imported into the Security Analytics appliance. It does not affect packets captured by the Security Analytics.
When TCP Segmentation Offload (TSO) is enabled on an Operating System and a packet capture is created, it is possible that Ethernet frames larger than the common 1500/1514 bytes are created in the capture. This happens because the packet capture is done at a point before the Network Interface Card (NIC - which does the fragmentation to 1500/1514 bytes prior to sending it to the network).
When such a packet capture is imported into Security Analytics, frames larger than 9216 bytes are dropped. The dropped packets will not be shown in the Packet Analyzer, and omitted when the Artifact is extracted, thus resulting in a corrupted artifact.[[email protected] ~]# dspcapimport -i impt1 -f test.pcap -t 1 -v
Total bytes written : 570386
Total packets imported : 367
Total packets dropped : 15 <<<<< frames larger than 9216 bytes
To determine if this is the problem, open the packet capture with Wireshark and the Security Analytics' Packet Analyzer. Apply the filter "frame.len>=9216". If the results in Wireshark differ to that of the Packet Analyzer, then we might have encountered this issue.