DLP Network Monitor running on Linux is not detecting all violating content and is dropping large amounts of packets

book

Article ID: 170028

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

It may be observed that a Linux-based Network Monitor in an environment will be able to see the web traffic it should monitor, but no incidents or a smaller number than expected will be generated from the data. 

Inspection of the traffic received by the Monitor may reveal that some packets get dropped by the server (resulting in i.e. missing attachments, or whole parts of message), and there might be also a larger number of jumbo packets seen in the stream. Because of this, parts of the incoming message that contain violating data are lost and the server isn't able to generate corresponding incidents. 

Packet loss can be confirmed by checking the PacketCapture logs on the Network Monitor. If there's a large number of entries "CaptureProcessor - Discarding x byte packet", this is a confirmation that the server is losing some traffic. 

Another symptom can be that for those incidents that do get generated, the "Message Body" section of the Incident Snapshot may contain an error message "Http Message is corrupted". This is another indicator that the Network Monitor is discarding packets. 

Cause

This may be caused by Linux-specific features - Large Receive Offload (LRO), Generic Segment Offload (GSO), Generic Reassembly Offload (GRO) and/or TCP Segment Offload (TSO). These features are enhancements introduced to newer versions of Linux. By default they will be enabled, which means that TCP segmentation and reassembly are performed by the network layer driver. That goes around the packet capture hooks responsible for catching the packets exactly as they appear on the wire. 

As a result, there will be much more jumbo packets in the stream received by the Network Monitor that runs on Linux. These packets will be then discarded, resulting in incomplete messages and lowered detection. 

Resolution

First, check if the features are enabled by running the following command:

ethtool -k eth0

The features to look for are: generic-segmentation-offload, generic-receive-offload, large-receive-offload and tcp-segmentation-offload

Disable the features by running the following commands:

ethtool --offload eth0 lro off
ethtool --offload eth0 gso off
ethtool --offload eth0 gro off
ethtool --offload eth0 tso off

Then run ethtool -k eth0 again to check if all features are off now.

Run the commands for the interface used to capture and analyze incoming traffic on the Network Monitor. Eth0 is only an example and can be different on your server.