Handling NetIntercept Errors

If you encounter one of the error conditions described below, please follow these steps to aid us in addressing the issue and resolving the problem as promptly as possible.

Also, with every message you send to support@sandstorm.net, include the following information from the NetIntercept GUI's Help -> About box: IButton or Keylok serial number, Version of NetIntercept in use, and NetIntercept Appliance Model (i.e. DR900, S200, etc).

• 412 error
• Critical Error - Could not access parse engine
• Critical Error - Could not access capture engine
• Communication error: Cannot read from parse engine/Critical Error: Could not access capture engine. Aborting.
• Parser Error: 517 Cannot switch to Profile database
• Sessionization Failed - tcpdemux error, Unknown error
• The GUI shuts down without warning

412 error

This error occurs while NetIntercept is building a database. An error dialog appears and displays a numeric code of "412" with an explanation of the issue. For example:

412 Parsed 60800 of 60800 - 3 errors: Signal 11 in module PlainTxt on connection #24750, at depth 8

What has occurred:

The parse engine has had a problem parsing one or more connections. The 412 error indicates that the database was built, but the NetIntercept GUI does not open this database automatically. The process ni_parse is still running.

What you should do:

You will need to extract a dump file of each connection that caused the issue to occur, and send that and other identifying information (per below) to support@sandstorm.net.

1. Copy the entire error line, making special note of the module that failed and the connection number of the failure. This information needs to be sent to Sandstorm.
2. Note the name of the database you were in the process of building.
3. Close the error dialog.
4. Determine which connections you will need to extract dump files for. The number of errors is shown in the error dialog (our above example had 3 errors).
   • If there is only one error, that connection is listed in the error statement. Go to the next step.
   • If there are multiple errors, contact Sandstorm technical support staff to help with your analysis of /usr/ni/log/ni_parse.log. Note all connection numbers that errors occurred on.
5. Use the Open button to open the database that was being created.
6. For each connection that had an error:
   • Use the Find# button to select the connection that caused the problem.
   • From the Connection window, select File -> Save Dump File to save the dump file of this connection to a file.
7. Send all of these dump files to Sandstorm.
8. Shut down and restart NetIntercept. From a command line window, type:
   nishutdown
   Then when that program ends, type:
   nistartup

How to recover:

Remember you must run the nishutdown then nistartup programs after the error occurs for NetIntercept to function properly.

Once the above steps are taken, you can continue to use your NetIntercept system. To create a database while avoiding the connections that caused the failure, you can examine the Connections (per above steps) and either create a database that does not include the time that these connections were present, or else create a filter that ignores the connections from their IP addresses. Sandstorm technical support staff can assist with this procedure, if necessary.

Critical Error - Could not access parse engine

This error occurs when the process ni_parse is not running and you attempt to open the NetIntercept GUI.

What has occurred:

The process ni_parse is not running. This process should begin when the system is first booted up, and should never terminate unless nishutdown is executed.

What you should do:

1. Copy the entire error dialog, to ensure you report the error correctly. Send this dialog to support@sandstorm.net
2. To check why ni_parse might have shut down, send a copy of /usr/ni/log/ni_parse.log to support@sandstorm.net
3. Look in /usr/ni and /usr/ni/bin for any files with an extension of ".core". If you find one, inform Sandstorm technical support.

How to recover:

Shut down and restart NetIntercept. From a command line window, type:

nishutdown

nistartup

Critical Error - Could not access capture engine

This error occurs when the process capture: mainline is not running and you attempt to open the NetIntercept GUI.

What has occurred:

The process capture-mainline is not running. This process should begin when the system is first booted up, and should never terminate unless nishutdown is executed.

What you should do:

1. Copy the entire error dialog, to ensure you report the error correctly. Send this dialog to support@sandstorm.net
2. To check why capture might have shut down, send a copy of /usr/ni/log/capture.log to support@sandstorm.net
3. Look in /usr/ni and /usr/ni/bin for any files with an extension of ".core". If you find one, inform Sandstorm technical support.

How to recover:

Shut down and restart NetIntercept. From a command line window, type:

nishutdown

nistartup

Communication Error: Cannot read from parse engine/
Critical Error: Could not access capture engine. Aborting

What has occurred:

You have attempted to start NetIntercept without a license manager device, which it will not allow.

Parser Error: 517 Cannot switch to Profile database

This error occurs when the mysql process is not running and you attempt to perform a mysql action (such as create a new database). You may see some GUI screens with no information on them, apparently devoid of content.

What has occurred:

The mysql process is not running. This process should begin when the system is first booted up, and should never terminate unless nishutdown is executed. There will be multiple SQL errors in /usr/ni/log/nigui.log

What you should do:

1. Copy the entire error dialog, to ensure you report the error correctly. Send this dialog to support@sandstorm.net
2. To check why mysql might have shut down, send a copy of /usr/ni/log/nigui.log and /usr/ni/log/ni_parse.log to support@sandstorm.net
3. Also send an explanation of what actions you were performing when the error occurred.

How to recover:

Shut down and restart NetIntercept. From a command line window, type:

nishutdown

nistartup

Sessionization Failed - tcpdemux error, Unknown error

This error occurs only while data is being analyzed. NetIntercept has encountered an unrecoverable error and terminated the analysis.

What you should do:

1. Send all pertinent log files to support@sandstorm.net: nigui.log, and tcpdemux2.log or demux.log
2. Rename any core files found and save them. The core files may be named tcpdemux2.core or demux.core

(Note: You will only see one of tcpdemux2.log / demux.log, and one of tcpdemux2.core / demux.core, depending on the version of NetIntercept in use. Versions of NetIntercept after 3.1 will produce files named demux.*.)

How to recover:

Shut down and restart NetIntercept. From a console window, type:

nishutdown

nistartup

The GUI shuts down without warning

What has occurred:

This error could occur if:

1. You are using NetIntercept remotely through its control port, and the network connection was terminated unexpectedly.
2. The X Window System encountered an error.
3. The NetIntercept GUI encountered an error.

What you should do:

1. Network Failure To determine if the error is due to a network failure, attempt to log into the NetIntercept box remotely. If you cannot access the machine, ensure that both your remote computer and your NetIntercept box are still connected via an active network.

2. X Window System error To see if an X Window System error may have occurred, you will need to examine recent items logged in /usr/ni/log/nigui.log. If an error has occurred, the log file will report it.

   In this case send a message to support@sandstorm.net and include the information from the About box (see top of this web page), an explanation of what actions you were performing when the X Window System error occurred, and a copy of your nigui.log file.

3. GUI failure If the GUI has encountered an unrecoverable error, NetIntercept has ceased running properly. A system core dump file (ni.core or nigui.core) may have been created.

   Other NetIntercept processes may still be running. If you were remotely accessing NetIntercept when this error occurred, a NetIntercept console window should still be present. Type the command ps x and you should see output as below:

   ni:~% ps x
   PID TT STAT TIME COMMAND
   758 ?? S 0:08.35 sshd: ni@ttyp0 (sshd)
   759 p0 Ss 0:00.18 -tcsh (tcsh)
   1190 p0 I 0:00.12 ./ni_parse
   1193 p0 S 0:44.80 /usr/local/libexec/mysqld --skip-name-resolv --skip-locking --skip-network
   1199 p0 S 0:00.07 capture: mainline (capture)
   1201 p0 S 0:00.04 capture: /ni/packets/4440/0915 (capture)
   1242 p0 R+ 0:00.00 ps x
   ni:~%

   The "ni" process will be missing from your list. If other processes are missing as well, you need to include this fact in your mail message to support@sandstorm.net. Also attach a copy of /usr/ni/log/nigui.log to that message, along with a complete explanation of what you had been doing at the time.

   Locate and rename the core file (normally found in /usr/ni or /usr/ni/bin) to save it. You must rename it because each time a core file is created, it overwrites and destroys any prior ones with the same name. If Sandstorm needs this dump file, we will give you instructions on how to send it to us.

How to recover:

Shut down and restart NetIntercept. From a console window, type:

nishutdown

nistartup

Sandstorm's Products

Order / Get a Quote

Contact Us

Back to top