Data Loss Prevention

I'm setting up a new network monitor that will be connected to a SPAN port and on the Configure Server page you need to check a box to select the NIC you want to use for to monitor network traffic.

We are going to use one of the NICs built into the server and they are all the exact same make and model.  The only difference shown between the choices is a long string of numbers following \Device\NPF_{

It is not the mac address or the device ID numbers I see in the NIC properties in Windows.  I scrolled through all the properties details and didn't see a match.

How can we determine which check-box to select for the NIC we will use?

Hi Netuser,

Please refer below

http://www.symantec.com/connect/forums/how-setup-network-monitor-dlp-test-environment

http://www.symantec.com/connect/forums/no-nic-when-configuring-monitor-server

http://www.symantec.com/connect/forums/dlp-and-web-filter-isa-2006#comment-6680211

I don't see anything in those links that describe how to match the NIC descriptions shown in the console with physical NICs.

Hi netuser,

 I dont know how to determine the right one, but you can do it in an empiric way. select them one by one and see if you capture something (looking at temporary file generated by the solution or setting a test policy with a very specific keyword), or select them all check that your system is working and remove them one by one to determine which one is the right one.

 If you dont use the other NICs you can also just select them all it will work fine.

 regards

I don't want to select them all because one of them will be the one used to communicate between the discover server and enforce server.

The identification number shown must mean something, but I don't know where to find it.  There must be something better than just randomly trying them all.  I don't know why it doesn't use some easier to match number like the mac address instead.  The label used in Windows such as "local area connection 2"  would be even better.

Why show that number at all if it isn't useful to identify one nic from another?

it is not an issue as you will only monitor some specific protocol (SMTP, HTTP,...) with packet capture.

I agree with you that using an identifier that we cant (or not easy because may be someone know how to do) use to identify is a "strange" idea.

On Windows you can use the getmac utility. This will give you two columns -- Physical Address and Transport Name. The transport name is what you see in DLP. Combined with "ipconfig /all" You should be able to match up the two by MAC address and then turn on the right interface for capture.

Getmac info does not appear to match anything.

Had the same issue. I solved it by installing wireshark and going to Capture -> Interfaces (CTL+I)

From there you'll see all of your NICs and their traffic. 

Click on Details will get you the full interface ID to match up with DLP.

Just make sure you don't mess up your winpcap install when installing Wireshark!

Tim

I see it now.  The server the DLP console was showing as Network Monitor was a different server than the one that was labeled as Network Monitor in Windows.