Code 1008: Network Monitor Packet CaptureFails to Start
search cancel

Code 1008: Network Monitor Packet CaptureFails to Start

book

Article ID: 172617

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

  • You notice packet capture fails to start automatically on your DLP Network Monitor. 
  • You try to start packet capture manually and it still fails to start. 
  • You notice in the DLP UI message code 1008 process went down before it had fully started

 

FileReader0.log

Jul 26, 2018 3:25:47 PM com.vontu.boxmonitor.MonitorProcessProxy launch
INFO: Starting PacketCapture.
Jul 26, 2018 3:25:47 PM com.vontu.boxmonitor.StatusTracker$BoxMonitorStatusLogger checkBoxMonitorStatusChange
INFO: (BOXMONITOR.13) Detection Server status changed from SOME_RUNNING to STARTING
Jul 26, 2018 3:25:47 PM com.vontu.boxmonitor.StatusTracker$BoxMonitorStatusLogger checkBoxMonitorStatusChange
INFO: Monitor status changed from SOME_RUNNING to STARTING.
Jul 26, 2018 3:25:47 PM com.vontu.logging.LocalLogWriter write
SEVERE: PacketCapture is down. PacketCapture process went down before it had fully started.
Jul 26, 2018 3:25:50 PM com.vontu.boxmonitor.StatusTracker$BoxMonitorStatusLogger checkBoxMonitorStatusChange
INFO: (BOXMONITOR.13) Detection Server status changed from STARTING to SOME_RUNNING
Jul 26, 2018 3:25:50 PM com.vontu.boxmonitor.StatusTracker$BoxMonitorStatusLogger checkBoxMonitorStatusChange
INFO: Monitor status changed from STARTING to SOME_RUNNING.
Jul 26, 2018 3:25:50 PM com.vontu.logging.LocalLogWriter write
INFO: Detection Server started. Some detection server processes are disabled and haven't been started.
Jul 26, 2018 3:25:50 PM com.vontu.boxmonitor.ProcessWatcher processWentDown
INFO: Process PacketCapture went down with exit code 1.
Jul 26, 2018 3:26:06 PM com.vontu.communication.transport.ChannelManager checkOperationTimeouts
INFO: timing out operation: com.vontu.communication.transport.AcceptWrapperOperation:1532633106019:null:com.vontu.communication.transport.SessionIdentifier@69f1f1c3
Jul 26, 2018 3:26:06 PM com.vontu.communication.transport.ChannelManager processOperationResult
INFO: Operation com.vontu.communication.transport.AcceptWrapperOperation:1532633106019:null:com.vontu.communication.transport.SessionIdentifier@69f1f1c3 failed with exception: com.vontu.communication.transport.exception.OperationTimeoutException
Jul 26, 2018 3:26:06 PM com.vontu.communication.transport.ChannelManager handleOperationFailure
INFO: removing session from cache: com.vontu.communication.transport.SessionIdentifier@69f1f1c3 for id: null

SymantecDLPDetectionServer.log

STATUS | wrapper  | 2018/07/26 15:25:05 | Launching a JVM...
INFO   | jvm 1    | 2018/07/26 15:25:05 | WrapperManager: Initializing...
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC>
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC> We trust you have received the usual lecture from the local System
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC> Administrator. It usually boils down to these three things:
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC>
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC>     #1) Respect the privacy of others.
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC>     #2) Think before you type.
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC>     #3) With great power comes great responsibility.
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC>
INFO   | jvm 1    | 2018/07/26 15:25:06 | PC> sudo: no tty present and no askpass program specified

OR:

SymantecDLPDetectionServer log
 
Level: INFO
Source:  jvm 1   
Message:  PC> sudo: no tty present and no askpass program specified


Usual message received when attempting to run a sudo command but don’t have permissions.

 

 

Cause

The RCA was found to be the exclusion of “#includedir /etc/sudoers.d” line in /etc/sudoers as a part of the customer Hardening their environment.

Also, make sure you have the following entry in the /etc/sudoers.d, as this is automatically inserted during DLP 15.5 Network Monitor Server install,

Defaults:protect !requiretty
protect ALL= NOPASSWD: /bin/mount, /bin/umount, /usr/bin/sshfs
protect ALL= NOPASSWD: /lib64/ld-linux-x86-64.so.2 --library-path /opt/Symantec/DataLossPrevention/Detection Server/15.5/Protect/lib/native\:/opt/Symantec/DataLossPrevention/Server JRE/1.8.0_181/lib/amd64/server /opt/Symantec/DataLossPrevention/Detection Server/15.5/Protect/bin/PacketCapture *

Resolution

Re-add the "#includedir /etc/sudoers.d" line to the sudoers file, and restart the SymantecDLPDetectionServer service.exit