This only affects packet captures that are imported into the Security Analytics appliance. It does not affect packets captured by the Security Analytics.

When TCP Segmentation Offload (TSO) is enabled on an Operating System and a packet capture is created, it is possible that Ethernet frames larger than the common 1500/1514 bytes are created in the capture. This happens because the packet capture is done at a point before the Network Interface Card (NIC - which does the fragmentation to 1500/1514 bytes prior to sending it to the network).

When such a packet capture is imported into Security Analytics, frames larger than 9216 bytes are dropped. The dropped packets will not be shown in the Packet Analyzer, and omitted when the Artifact is extracted, thus resulting in a corrupted artifact.

[root@localhost ~]# dspcapimport -i impt1 -f test.pcap -t 1 -v
Total bytes written : 570386
Total packets imported : 367
Total packets dropped : 15 <<<<< frames larger than 9216 bytes

To determine if this is the problem, open the packet capture with Wireshark and the Security Analytics' Packet Analyzer. Apply the filter "frame.len>=9216". If the results in Wireshark differ to that of the Packet Analyzer, then we might have encountered this issue.

Workaround

1. TCP Segmentation Offload should be disabled on the Operating System before a packet capture that needs to be imported into the Security Analytics is created.

This can be done with the commands below :

root@localhost:~# ethtool -K eth0 tso off
root@localhost:~# ethtool -K eth0 gso off

Note : replace eth0 with the entry of your NIC.

2. It is also possible to refragment a large frame into smaller ones with some external tools.

http://packetbomb.com/how-can-the-packet-size-be-greater-than-the-mtu/
http://serverfault.com/questions/463111/how-to-persist-ethtool-settings-through-reboot
https://forum.ivorde.com/linux-tso-tcp-segmentation-offload-what-it-means-and-how-to-enable-disable-it-t19721.html