Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PacketCapture restarts excessively

Created: 19 Feb 2013 | 7 comments

Hi all,

Actually, we encounter an error message as of " Code 1007 PacketCapture restarts excessively. Process PacketCapture has restarted 3 times during last 16 minutes."

I checked in the PacketCapture.log, it shows from 02/19/13 10:18:55 to 02/19/13 10:35:27, the PacketCapture has been restarted three times. The restarts were sucessful, as at the end, there is a line "02/19/13 10:32:18 [0x00001220] INFO  PacketCapture - Beginning capture on device Broadcom L2 NDIS client driver: ........"

Could anyone tell me the general conditions which lead the restart of the PacketCapture?

Also, why DLP shown the error "PacketCapture restarts excessively" whereas the PacketCapture was successfully restarted each time?

I attach also the log PackCapture.log.

Thanks a lot for advice.

Comments 7 CommentsJump to latest comment

kishorilal1986's picture

please restart vontu services in series mentioned in Admin guide.

DLP tester's picture

Hello,

But my question is what are the conditions to make the restart of PacketCapture ....

DLP tester's picture

I attach also the daily charge and the server configuration, in order to see if it is due to the bad configuration.

Charges of yesterday:

  1. SMTP

       Data:  15.49 GB
       Messages: 57,274
       Incidents: 65
 

  1. HTTP

      Data:  7.73 GB
      Messages: 799,584
      Incidents: 0
 

Server configuration:

CPU: intel Xeon CPU L5640 @ 2.27GHz 2x2266

OS: Microsoft Windows Server 2008 R2 Standard Service Pack

Memory: 32757 MB

BoxMonitor.FileReaderMemory : -Xrs -Xms4096M -Xmx4096M -Xss2048K

 

 

 

 

 

 

jgt10's picture

PacketCapture restarts excessively when the traffic is heavily corrupted.

Install wiershark on the monitor. Take a 30 second capture and run it through the expert analysis. 

Check how much raw traffic is coming in.

Look at the analysis and look at the errors and warngings. 

I'm pretty sure there is one or more KB articles that covers this isue.

JGT

--
John G. Thompson
JOAT(MON)

DLP tester's picture

Hi JGT,

Thanks a lot for your advice. I'll do that, I will let you know once I finish the test.

BTW, do you know how exactly is the "Message Wait Time" calculated?  Before we thought it was the difference between the current time and the reception time of the oldest file which is not yet processed. But I find that it seems not true.

 

Regards,

 

 

DLP Solutions's picture

Use wireshark to capture the traffic. in a lot of cases I have seen where there is dirty traffic.

That can mean DUPLICATE streams of traffic and also too much traffic.

Most of the time it is just dirty traffic.

Also use the attached tool to analyze the traffic.

AttachmentSize
Packet Analyzer.zip 362.99 KB

Please make sure to mark this as a solution

to your problem, when possible.