Troubleshooting
Problem
Packet capture files (pcap) do not display up in the Case Management view of the user interface after the files are successfully uploaded. This issue can occur when users attempt to add packet capture files through the QRadar Incident Forensics user interface or when you upload files with FTP.
Symptom
- Log in to the QRadar user interface.
- Click the Admin tab.
- Scroll down to Forensics > Case Management.
- Click Add Files.
- Click Start upload.
Results
The PCAP file is not displayed under Case Management when there are no valid documents to import. Users who view case collections in the user interface might see in Case Management > Cases > Collections > [0].
Diagnosing The Problem
When this issue occurs, the decapper process indicates that there are no documents to import. Administrators with root access can review the logs in /var/log/qradar.log for similar INFO messages:
Aug 21 12:29:10 forensics decapper: [task13] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:29:10 forensics decapper: [task13] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:29:10 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:45:16 forensics decapper: [task7] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:45:16 forensics decapper: [task17] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 12:45:16 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 13:03:11 forensics decapper: [task18] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 13:03:11 forensics decapper: [task5] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 13:03:11 forensics decapper: [main] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Aug 21 13:19:26 forensics decapper: [] decapper.packetSource: [INFO] PCAPTest: Total Documents: = 0
Resolving The Problem
The file successfully uploads to Cases > Collections, but does not display in the user interface. Users who report this issue need to work with QRadar Incident Forensics support as there is no root determination yet as to why the packet capture does not contain the relevant information. Logs must be attached to your case to investigate this issue as qradar.log contains import status information. Users must open a case to investigate this issue with QRadar Support.
What to include in your support case
- Take a screen capture of the file upload issue where cases are not displayed in the user interface.
- Collect logs from the QRadar Incident Forensics appliance.
- Provide a copy of the packet capture file for review in to your case.
- Describe your issue and ensure that you mention that you are missing cases in the user interface due to zero total documents in the packet capture. You can link to this article in your case for reference.
- Ensure that your email address or phone number is provided in your case so we can contact you.
Results
The case is opened and the status is set to 'Waiting on IBM' as the support representative reviews the information in your case. The support representative needs to reproduce this issue to determine why the packet capture reports 0 total documents.
Tip: It is a good idea to review your contact information or ensure that your case includes the correct phone number or email address. Support representatives use the contact information from your profile and contact preferences to communicate with users about cases.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
27 April 2023
UID
ibm11072616