Artifacts from imported packet captures are corrupted when there are frames larger than 9216 bytes on Security Analytics

book

Article ID: 169349

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

This only affects packet captures that are imported into the Security Analytics appliance. It does not affect packets captured by the Security Analytics.

When TCP Segmentation Offload (TSO) is enabled on an Operating System and a packet capture is created, it is possible that Ethernet frames larger than the common 1500/1514 bytes are created in the capture. This happens because the packet capture is done at a point before the Network Interface Card (NIC - which does the fragmentation to 1500/1514 bytes prior to sending it to the network).

When such a packet capture is imported into Security Analytics, frames larger than 9216 bytes are dropped. The dropped packets will not be shown in the Packet Analyzer, and omitted when the Artifact is extracted, thus resulting in a corrupted artifact.

[[email protected] ~]# dspcapimport -i impt1 -f test.pcap -t 1 -v
Total bytes written : 570386
Total packets imported : 367
Total packets dropped : 15 <<<<< frames larger than 9216 bytes


To determine if this is the problem, open the packet capture with Wireshark and the Security Analytics' Packet Analyzer. Apply the filter "frame.len>=9216". If the results in Wireshark differ to that of the Packet Analyzer, then we might have encountered this issue.

Resolution

Workaround

1. TCP Segmentation Offload should be disabled on the Operating System before a packet capture that needs to be imported into the Security Analytics is created.

This can be done with the commands below :

[email protected]:~# ethtool -K eth0 tso off
[email protected]:~# ethtool -K eth0 gso off


Note : replace eth0 with the entry of your NIC.

2. It is also possible to refragment a large frame into smaller ones with some external tools.