Forum Discussion
Health Alert: Some network traffic could not be analyzed
The alerts are generated when the sensors do not have enough resources to analyze the network traffic.
Things might have changed since you ran the sizing tool, such as more users being added to the environment or a change in the sites or subnets configuration that now cause more traffic to be sent to the domain controllers.
If the sensor is using the winpcap drivers (installed with the sensor in versions earlier than 2.184) we recommend you replace them with npcap. This is described in https://docs.microsoft.com/en-us/defender-for-identity/technical-faq#winpcap-and-npcap-drivers
This can also happen if you're using domain controllers on VMware virtual machines. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine:
- TsoEnable
- LargeSendOffload(IPv4)
- IPv4 TSO Offload
You should also consider adding additional processors and memory as required.
Npcap drivers.
Users have not grown significantly since running our sizing tool last April.
Most importantly I want to know the exact logic how this alarm is triggered? any filtering/averaging involved over a period of time or a spike/peak-traffic would do it?
Thanks!