cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Health Alert: Some network traffic could not be analyzed

sayedhasan
Copper Contributor

‎Jul 22 2022 09:11 AM

‎Jul 22 2022 09:11 AM

Health Alert: Some network traffic could not be analyzed

Hello,

Seeing these alerts on two domain controllers on a regular 1-hour interval.

Back when we ran the sizing tool about 4 months ago they passed the analysis with flying colors (required CPU/RAM of 1 and 6 vs 24 and 64 available ). These are on-prem physical servers. No issues with other domain controllers.

 

Also how exactly is this alarm triggered? Is there a time threshold or any spike would cause it?

 

788 Views
0 Likes
2 Replies
Reply
2 Replies
Martin_Schvartzman

‎Jul 25 2022 05:21 AM

‎Jul 25 2022 05:21 AM

Re: Health Alert: Some network traffic could not be analyzed

@sayedhasan 

The alerts are generated when the sensors do not have enough resources to analyze the network traffic.

Things might have changed since you ran the sizing tool, such as more users being added to the environment or a change in the sites or subnets configuration that now cause more traffic to be sent to the domain controllers.

If the sensor is using the winpcap drivers (installed with the sensor in versions earlier than 2.184) we recommend you replace them with npcap. This is described in https://docs.microsoft.com/en-us/defender-for-identity/technical-faq#winpcap-and-npcap-drivers

This can also happen if you're using domain controllers on VMware virtual machines. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine:
- TsoEnable
- LargeSendOffload(IPv4)
- IPv4 TSO Offload

You should also consider adding additional processors and memory as required.

0 Likes
Reply
sayedhasan

‎Jul 25 2022 12:25 PM

‎Jul 25 2022 12:25 PM

Re: Health Alert: Some network traffic could not be analyzed

Physical servers no VMware.
Npcap drivers.
Users have not grown significantly since running our sizing tool last April.
Most importantly I want to know the exact logic how this alarm is triggered? any filtering/averaging involved over a period of time or a spike/peak-traffic would do it?
Thanks!

0 Likes
Reply