IBM Support

QRadar Incident Forensics: Unable to add new files to Case Management Collections

Troubleshooting


Problem

Packet capture files (pcap) do not display up in the Case Management view of the user interface after the files are successfully uploaded. This issue can occur when users attempt to add packet capture files through the QRadar Incident Forensics user interface or when uploading the files by using FTP. 

Symptom

  1. Log in to the QRadar UI.
  2. Click the Admin tab.
  3. Scroll down to Forensics > Case Management.
  4. Click Add Files.
  5. Click Start upload.
     
Results
The PCAP file is not displayed under Case Management when there are no valid documents to import. Users who view case collections in the user interface might see in Case Management > Cases > Collections > [0].

Diagnosing The Problem

When this issue occurs, the decapper process indicates that there are no documents to import. Administrators with root access can review the logs in /var/log/qradar.log for similar INFO messages:
Aug 21 12:29:10 forensics decapper: [task13] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 12:29:10 forensics decapper: [task13] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 12:29:10 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 12:45:16 forensics decapper: [task7] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 12:45:16 forensics decapper: [task17] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 12:45:16 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 13:03:11 forensics decapper: [task18] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 13:03:11 forensics decapper: [task5] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 13:03:11 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0
Aug 21 13:19:26 forensics decapper: [] decapper.packetSource: [INFO] PCAPTest:     Total Documents:     = 0

 

Resolving The Problem

The file are successfully uploaded to Cases > Collections, but is not showing in the UI. Users who report this issue need to work with QRadar Incident Forensics support as there is no root determination yet as to why the packet capture does not contain the relevant information. If you experience this issue, the logs in /var/log/qradar.log displays the status of the import, and users should open an investigation with QRadar Support.
What to include in your support case
  1. Take a screen capture of the file upload issue where cases are not displayed in the user interface.
  2. Collect logs from the QRadar Incident Forensics appliance.
  3. Provide a copy of the packet capture file for review in to your case.
  4. Describe your issue and ensure that you mention that you are missing cases in the user interface due to zero total documents in the packet capture. You can link to this article in your case for reference.
  5. Ensure that your email address or phone number is provided in your case so we can contact you.


    Results
    A QRadar Incident Forensics Support team member contacts you to discuss your case. The support representative needs to attempt to reproduce this issue to determine why the packet capture reports 0 total documents.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"Component":"PCAP","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
21 July 2022

UID

ibm11072616