PCAP download is empty or 0 bytes in size

book

Article ID: 222039

calendar_today

Updated On:

Products

Security Analytics Security Analytics - VA

Issue/Introduction

Security analytics allows you to download raw PCAP files from traffic captured on the system.  On occasion, the PCAP file that is downloaded may be empty or may be 0 bytes in size.

Resolution

This can be caused by several different issues.

  • The timespan selected doesn't contain any pcap data
  • The filter specified is to narrow and doesn't meet the criteria of any packets
  • An error was triggered 
  • You are attempting to download the pcap during a log rotation, which may kill the http session (usually indicative of attempting to download again and succeeding)
    • This bug is alleviated in SA version 8.2.4 or greater

If you do encounter a 0-byte pcap file, take a look at the /var/log/messages file and look for any errors that would indicate why the file is empty and be ready to share those results with technical support.