Data Loss Prevention

 View Only

  • 1.  PacketCapture restarts excessively

    Posted Feb 19, 2013 12:03 PM
      |   view attached

    Hi all,

    Actually, we encounter an error message as of " Code 1007 PacketCapture restarts excessively. Process PacketCapture has restarted 3 times during last 16 minutes."

    I checked in the PacketCapture.log, it shows from 02/19/13 10:18:55 to 02/19/13 10:35:27, the PacketCapture has been restarted three times. The restarts were sucessful, as at the end, there is a line "02/19/13 10:32:18 [0x00001220] INFO  PacketCapture - Beginning capture on device Broadcom L2 NDIS client driver: ........"

    Could anyone tell me the general conditions which lead the restart of the PacketCapture?

    Also, why DLP shown the error "PacketCapture restarts excessively" whereas the PacketCapture was successfully restarted each time?

    I attach also the log PackCapture.log.

    Thanks a lot for advice.

    Attachment(s)

    7z
    PacketCapture.7z   200 KB 1 version


  • 2.  RE: PacketCapture restarts excessively

    Posted Feb 20, 2013 01:21 AM

    please restart vontu services in series mentioned in Admin guide.



  • 3.  RE: PacketCapture restarts excessively

    Posted Feb 20, 2013 03:57 AM

    Hello,

    But my question is what are the conditions to make the restart of PacketCapture ....



  • 4.  RE: PacketCapture restarts excessively

    Posted Feb 20, 2013 07:54 AM

    Hi ,

    please refer below

    https://www-secure.symantec.com/connect/ideas/packet-capture-button-smg

    https://www-secure.symantec.com/connect/forums/symantec-dlp-115-monitor-endace-configuration-using-daxextraconfigbat

    https://www-secure.symantec.com/connect/forums/corrupt-office-2007-attachments

     



  • 5.  RE: PacketCapture restarts excessively

    Posted Feb 20, 2013 08:34 AM

    I attach also the daily charge and the server configuration, in order to see if it is due to the bad configuration.

    Charges of yesterday:

    1. SMTP

           Data:  15.49 GB
           Messages: 57,274
           Incidents: 65
     

    1. HTTP

          Data:  7.73 GB
          Messages: 799,584
          Incidents: 0
     

    Server configuration:

    CPU: intel Xeon CPU L5640 @ 2.27GHz 2x2266

    OS: Microsoft Windows Server 2008 R2 Standard Service Pack

    Memory: 32757 MB

    BoxMonitor.FileReaderMemory : -Xrs -Xms4096M -Xmx4096M -Xss2048K

     

     

     

     

     

     



  • 6.  RE: PacketCapture restarts excessively

    Posted Feb 21, 2013 02:03 PM

    PacketCapture restarts excessively when the traffic is heavily corrupted.

    Install wiershark on the monitor. Take a 30 second capture and run it through the expert analysis. 

    Check how much raw traffic is coming in.

    Look at the analysis and look at the errors and warngings. 

    I'm pretty sure there is one or more KB articles that covers this isue.

    JGT



  • 7.  RE: PacketCapture restarts excessively

    Posted Feb 22, 2013 04:23 AM

    Hi JGT,

    Thanks a lot for your advice. I'll do that, I will let you know once I finish the test.

    BTW, do you know how exactly is the "Message Wait Time" calculated?  Before we thought it was the difference between the current time and the reception time of the oldest file which is not yet processed. But I find that it seems not true.

     

    Regards,

     

     



  • 8.  RE: PacketCapture restarts excessively

    Trusted Advisor
    Posted Feb 22, 2013 06:01 AM
      |   view attached

    Use wireshark to capture the traffic. in a lot of cases I have seen where there is dirty traffic.

    That can mean DUPLICATE streams of traffic and also too much traffic.

    Most of the time it is just dirty traffic.

    Also use the attached tool to analyze the traffic.

    Attachment(s)

    zip
    Packet Analyzer.zip   362 KB 1 version