Questions on the Sensor Maintenance

<< Click to Display Table of Contents >>

Navigation:  Sensor Routine Maintenance >

Questions on the Sensor Maintenance

How to manually delete Microolap EtherSensor services?

1. Run the following commands from the command prompt:

sc delete "EtherSensorEtherCAP"
sc delete "EtherSensorICAP"
sc delete "EtherSensorLotusTXN"
sc delete "EtherSensorAnalyser"
sc delete "EtherSensorTransfer"
sc delete "EtherSensorWatcher"

2. Run regedit and delete the following registry branches:

HKLM/System/CurrentControlSet/EtherSensorAnalyser
HKLM/System/CurrentControlSet/EtherSensorEtherCAP
HKLM/System/CurrentControlSet/EtherSensorICAP
HKLM/System/CurrentControlSet/EtherSensorLotusTXN
HKLM/System/CurrentControlSet/EtherSensorTransfer
HKLM/System/CurrentControlSet/EtherSensorWatcher

3. Delete the old version files.

4. Restart the server.

Why there are many duplicated messages?

1. Web services may send forms more than once, e.g. when saving drafts or adding attachments.

2. When network conditions are complicated (for example, when using a chain of proxy servers or load balancers), the sensor may see the same connection through several interfaces. In this case, use check-md5 filter. This will help decide whether it is necessary to process this message again or not.

I see traffic from the <another sniffer> mirror port, but the sensor doesn't intercept anything.

Traffic counters are increasing, but the sensor doesn't intercept anything.

In the interception record there are no back packets from HTTP services, i.e. the packets coming from the client IP address to the remote server/port are visible, but the remote server/port responses are not. ACK, FIN/ACK packets from the client a coming meaning that these are real traffic working sessions, and the traffic reaches the client.

Perform the following steps:

1. Make sure the services are up and running.

2. Check IP filtering rules. To apply rules, restart the services.

3. Check traffic counters. The value of Received should not be equal to one of Rejected.

4. Check if the intercepted data are in the data subfolder of the Microolap EtherSensor installation folder. When using filters, also check [INSTALLDIR]\data\filter.

5. Check the [INSTALLDIR]\data\result folder for any intercepted messages that have not been send.

6. Check logs and counters for any errors. If there are no errors, the services are working correctly.

7. Check settings of the mirror port. For example, Cisco hardware by default mirrors either RX or TX packets. Change the setting to use both keyword:

monitor session 1 source interface <interface-id> both

8. Check if a profile is set up in the delivery service settings and if a correct profile is set up as the default profile.

9. If the problem persists, please contact support.