Network Monitor Packet Capture Fails to Start
search cancel

Network Monitor Packet Capture Fails to Start


Article ID: 172627


Updated On:


Data Loss Prevention Network Monitor Data Loss Prevention


You notice packet capture fails to start automatically on your DLP Network Monitor.  You try to start packet capture manually and it still fails to start.  You notice in the DLP UI message code 1008 process went down before it had fully started.

When trying to start packetcapture manually you see the following error:

PacketCapture: error while loading shared libraries: cannot open shared object file: No such file or directory. 


BoxMonitor log 

Class: om.vontu.logging.LocalLogWriter
Method: write
Message:  PacketCapture is down. PacketCapture process went down before it had fully started.


SymantecDLPDetectionServer log

Level: INFO
Source:  jvm 1   
Message:  PC> sudo: no tty present and no askpass program specified

Which is the usual message received when attempting to run a sudo command but don’t have permissions.


Packetcapture needs to run as 'root'.  But, your server has been hardened and doesn't permit sudo command by DLP application.  


You must edit /etc/sudoers file and add #includedir /etc/sudoers.d to the sudoers file.

Also, make sure you have the following entry in the /etc/sudoers.d, as this is automatically inserted during DLP 15.1 Network Monitor Server install:

# Vontu service user
Defaults:SymantecDLP !requiretty
SymantecDLP ALL= NOPASSWD: /bin/mount, /bin/umount, /usr/bin/sshfs
SymantecDLP ALL= NOPASSWD: /lib64/ --library-path /opt/Symantec/DataLossPrevention/Detection Server/15.1/Protect/lib/native\:/opt/Symantec/DataLossPrevention/Server JRE/1.8.0_162/lib/amd64/server /opt/Symantec/DataLossPrevention/Detection Server/15.1/Protect/bin/PacketCapture *