Troubleshooting
Problem
Packet capture files (pcap) do not display up in the Case Management view of the user interface after the files are successfully uploaded. This issue can occur when users attempt to add packet capture files through the QRadar Incident Forensics user interface or when uploading the files by using FTP.
Symptom
- Log in to the QRadar UI.
- Click the Admin tab.
- Scroll down to Forensics > Case Management.
- Click Add Files.
- Click Start upload.
Results
The PCAP file is not displayed under Case Management when there are no valid documents to import. Users who view case collections in the user interface might see in Case Management > Cases > Collections > [0].
Diagnosing The Problem
When this issue occurs, the decapper process indicates that there are no documents to import. Administrators with root access can review the logs in /var/log/qradar.log for similar INFO messages:
Aug 21 12:29:10 forensics decapper: [task13] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:29:10 forensics decapper: [task13] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0Aug 21 12:29:10 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:45:16 forensics decapper: [task7] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:45:16 forensics decapper: [task17] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:45:16 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 13:03:11 forensics decapper: [task18] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 13:03:11 forensics decapper: [task5] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 13:03:11 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 13:19:26 forensics decapper: [] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0Resolving The Problem
The file are successfully uploaded to Cases > Collections, but is not showing in the UI. Users who report this issue need to work with QRadar Incident Forensics support as there is no root determination yet as to why the packet capture does not contain the relevant information. If you experience this issue, the logs in /var/log/qradar.log displays the status of the import, and users should open an investigation with QRadar Support.
What to include in your support case
- Take a screen capture of the file upload issue where cases are not displayed in the user interface.
- Collect logs from the QRadar Incident Forensics appliance.
- Provide a copy of the packet capture file for review in to your case.
- Describe your issue and ensure that you mention that you are missing cases in the user interface due to zero total documents in the packet capture. You can link to this article in your case for reference.
- Ensure that your email address or phone number is provided in your case so we can contact you.
Results
A QRadar Incident Forensics Support team member contacts you to discuss your case. The support representative needs to attempt to reproduce this issue to determine why the packet capture reports 0 total documents.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"Component":"PCAP","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
21 July 2022
UID
ibm11072616