Core files |
The presence of core.* files in the /usr/local/ctccap directory is a sign that the capture failed and wrote a core dump file. |
Boot up delays |
You can notice delays during the boot up procedure and when running various network-related commands if the /etc/resolv.conf file contains the wrong information for the local network. The delays can take the form of a long SSH login attempt when the SSH daemon on the Passive Capture host workstation times out while you use the incorrect DNS resolution information from the /etc/resolv.conf file.
This file can contain incorrect information if it was left over from a static IP configuration on a different network. It can also be left over from when the workstation was shut down while using DHCP, although booting up with DHCP normally creates /etc/resolv.conf file. Fixing the file depends on whether the host workstation is configured for DHCP or static IP information.
|
DHCP |
If the Passive Capture software is configured for DHCP, then do the following steps:
- Log in as user root.
- Delete the file
/etc/resolv.conf .
- Run
shutdown now to enter single-user mode.
- Use the
exit command to leave single-user mode and allow the system to generate a new /etc/resolv.conf file.
|
Static IP |
If the Passive Capture software is configured with a static IP address, then do the following steps:
- Log in as user root.
- Delete the file
/etc/resolv.conf .
- Run
tealeaf ipconfig to reenter the DNS information and exit.
- The program generates a new
/etc/resolv.conf file, which takes effect immediately.
|
Single-user mode |
If you just rebooted the Passive Capture host server or powered it on and you must enter single-user mode, then do the following while you use the GRUB boot loader:
- When the GRUB boot menu is displayed, press
SPACEBAR to prevent any automatic boot.
- Use the arrow keys to select the Red Hat Enterprise Linux™ kernel and version you want to boot.
- Press the
A key to append kernel options.
- At the
grub append prompt, append the word single . Press SPACEBAR and then enter single.
- Press
ENTER to accept the new value and boot.
|
Total large packets exceeded |
The TCP packet size has exceeded the configured limit.
The CX PCA and Packet Forwarder are configured to limit packet size. When a captured packet exceeds the configured limit, the CX PCA reports:
The TCP packet size has exceeded the configured limit
Additionally, this scenario causes missing events during session replay.
To enable the PCA and Packet Forwarder to accept larger packet sizes:
- Edit the CX PCA tuning parameters and enter a new value for the Max large capture packet size.
- Edit the packet forwarder configuration file and add the following entry to increase the maximum captured packet size:
<Capture>
<MaxLargeCapturePktSize>X</MaxLargeCapturePktSize>
</Capture>
Replace X with a numeric value for the maximum capture packet size. The value is represented in kilobytes (KB). By default, the maximum-captured-packet size for the packet forwarder is configured for 40 KB.
The following example shows an entry that increases the maximum captured packet size to 45 KB.
<Capture>
<MaxLargeCapturePktSize>45</MaxLargeCapturePktSize>
</Capture>
|
Viewing capture logs |
Examining the passive capture logs can help you locate a possible problem.
If Capture is not starting, capture.log typically shows the reason for failing to start, such as bad entry syntax or invalid entry in the configuration file.
Another troubleshooting log, maintenance_200xxxxx.log , shows unhealthy conditions that are forcing the restart or shutdown of the Passive Capture software.
Both of these logs can be viewed by the Web Console or by a Linux text editor in the Passive Capture default logs directory. Depending on the version of the Passive Capture software, they are located in /usr/local/ctccap/logs or /var/log/tealeaf .
|
Starting the capture process |
If you try to start the PCA capture process through the Web Console, you may see the following error:
/usr/local/ctccap/bin/tealeaf: line 348: ulimit: core file size: cannot modify limit: Operation not permitted /usr/local/ctccap/bin/tealeaf: line 219: ulimit: core file size: cannot modify limit: Operation not permitted
In some Linux environments (like RHEL7) the behavior of the ulimit utility is modified which causes permission issues for non-root users. The ability to set the core file size to an unlimited size is blocked. To fix this issue complete the following steps:
- Edit the configuration file:
/etc/security/limits.conf, which is used to set the default ulimit core limits (-c option) for specific users
- Add the two lines below to
/etc/security/limits.conf :
ctccap hard core unlimited
ctccap soft core unlimited where ctccap corresponds to the PCA user.
- Save the changes.
- Restart the PCA from the Command line to apply the changes.
|