PacketCapture restarts excessively
Hi all,
Actually, we encounter an error message as of " Code 1007 PacketCapture restarts excessively. Process PacketCapture has restarted 3 times during last 16 minutes."
I checked in the PacketCapture.log, it shows from 02/19/13 10:18:55 to 02/19/13 10:35:27, the PacketCapture has been restarted three times. The restarts were sucessful, as at the end, there is a line "02/19/13 10:32:18 [0x00001220] INFO PacketCapture - Beginning capture on device Broadcom L2 NDIS client driver: ........"
Could anyone tell me the general conditions which lead the restart of the PacketCapture?
Also, why DLP shown the error "PacketCapture restarts excessively" whereas the PacketCapture was successfully restarted each time?
I attach also the log PackCapture.log.
Thanks a lot for advice.
Comments 7 Comments • Jump to latest comment
please restart vontu services in series mentioned in Admin guide.
Hello,
But my question is what are the conditions to make the restart of PacketCapture ....
Hi ,
please refer below
https://www-secure.symantec.com/connect/ideas/pack...
https://www-secure.symantec.com/connect/forums/sym...
https://www-secure.symantec.com/connect/forums/cor...
I attach also the daily charge and the server configuration, in order to see if it is due to the bad configuration.
Charges of yesterday:
Data: 15.49 GB
Messages: 57,274
Incidents: 65
Data: 7.73 GB
Messages: 799,584
Incidents: 0
Server configuration:
CPU: intel Xeon CPU L5640 @ 2.27GHz 2x2266
OS: Microsoft Windows Server 2008 R2 Standard Service Pack
Memory: 32757 MB
BoxMonitor.FileReaderMemory : -Xrs -Xms4096M -Xmx4096M -Xss2048K
PacketCapture restarts excessively when the traffic is heavily corrupted.
Install wiershark on the monitor. Take a 30 second capture and run it through the expert analysis.
Check how much raw traffic is coming in.
Look at the analysis and look at the errors and warngings.
I'm pretty sure there is one or more KB articles that covers this isue.
JGT
--
John G. Thompson
JOAT(MON)
Hi JGT,
Thanks a lot for your advice. I'll do that, I will let you know once I finish the test.
BTW, do you know how exactly is the "Message Wait Time" calculated? Before we thought it was the difference between the current time and the reception time of the oldest file which is not yet processed. But I find that it seems not true.
Regards,
Use wireshark to capture the traffic. in a lot of cases I have seen where there is dirty traffic.
That can mean DUPLICATE streams of traffic and also too much traffic.
Most of the time it is just dirty traffic.
Also use the attached tool to analyze the traffic.
Please make sure to mark this comment as a solution to your problem, when possible.
Would you like to reply?
Login or Register to post your comment.