Version 7 (modified by cseifert, 9 years ago)

--

Troubleshooting Guide 2.5.0

1 . Starting the Capture Server, I get an error message.

  • read the error message. It usually gives you a starting point on what might be wrong.
  • make sure your config file, account settings, firewall settings are correct. Most problems point to incorrect settings, permissions, and/or connectivity.
  • ensure that you are using supported software. Capture has been tested with very specific software and software versions (e.g. VMware Server 1.0.4, C++ 2005 Redistributable Libraries SP1). If you use some other software and versions, it might not work. Try a supported configuration first. See the readme.txt file for supported configurations.
  • read this troubleshooting guide. There might be a solution to your problem described in the guide.
  • check the Capture-HPC mailing list. If there is problem with the Capture software, most likely someone else has encountered it as well and has asked for assistance on the mailing list. If you don’t find anything, post to the mailing list for help.
  • if you tried everything, check for a known bug at https://projects.honeynet.org/capture-hpc/report/1. If none are listed that describes your problem, file a new bug. Ensure that you describe the configuration of your system, attach log files (there is also a log file on the guest os now) and describe it so it can be reproduced. If we cannot reproduce it, we cannot fix it :(

2 . Starting the Capture Server, I get the error: "VIX Error on connect in connect: The system returned an error. Communication with the virtual machine may have been interrupted"

  • Check the IP address and port of your virtual-machine-server setting in config.xml. If it is correct, ensure that you are able to connect to it from the machine you are running the Capture-Server on via the VMware console. If this does not work, your firewall is likely not configured correctly.

3 . Starting the Capture Server, I get the error: "VIX Error on connect in connect: Insufficient permissions in host operating system"

  • Check the username/password of your virtual-machine-server setting in config.xml. If it is correct, ensure that you are able to connect to it from the machine you are running the Capture-Server on via the VMware console. If this does not work, your username/password is incorrect.

4 . Starting the Capture Server, I get the error: VIX Error on login: Insufficient permissions in guest operating system

  • Check the username/password of your virtual machine and that user has administrator rights and is able to start the CaptureClient?.exe.

5 . Starting the Capture Server, I get the error: Client inactivity, reverting VM

  • This error indicates that the application specified in the client-path (the Capture Client application) wasn’t found or doesnt have connectivity to the server. Check the path and retry.

6 . Starting the Capture Server, I get the error: "VIX Error on obtaining handle: A file was not found"

  • Check the path to your virtual machine vmx file and that the permissions are set correctly. You could open the virtual machine via the console to verify.

7 . Starting the Capture Server, I get the error: java.net.URISyntaxException

  • This error indicates that the URL you are trying to visit is not of valid URI syntax. Check the URL that causes the issue and ensure that the URI is URL encoded.

8 . All/ many URLs are classified as malicious although they are not.

  • The way Capture determines whether a URL is malicious is done via the detecting unauthorized state changes on the system. Because many state changes occur naturally on a system (log files are written, etc), Capture uses exclusion lists to ignore those sorts of state changes. Once a state change occurs that is not excluded, the URL is classified as malicious.
  • The reason why a benign URL is classified as malicious lies in the exclusion list and the system you are using. The exclusion list that is provided with the Capture distribution is based on a clean English Windows XP SP2 installation. If you use a slightly different patch level, different language, have additional software (e.g. flash) installed, Capture might not exclude state changes that now occur naturally on the system you are using. The solution is to modify the exclusion lists.

9 . The Capture Client is started within the VM, but fails to connect to the Capture Server

  • Currently, there is a bug that prevents communication of the Capture Server and Capture Client on ports other than the default port 7070. Configure your server to use port 7070.
  • If you continue to have problems, check whether connectivity between the Capture Client and Server exists, i.e. no firewall blocks communication. This can be easily checked by telnetting from the guest OS to the Capture Server once its started.

10 . Starting the Capture Server, I get the error: VIX_E_INVALID_ARG

  • This error occurs when the wrong VIX library is installed on the system. VMware offers two versions. Version 1.1.0 and the one that comes with the client package of the VMware server. You need to have the one that comes with VMware server installed.

11 . The browser starts, but sites are not visted.

  • This can happen when using the Internet Explorer Bulk algorithm. This algorithm starts IE as its own process and then attaches to the process to obtain events from the browser. In order for this mechanism to work, you need to be logged in as the user on the guest OS that is used to start the browser (configured in config.xml)

12 . I am getting a lot of VM stalled errors.

  • This might occur when running many client instances (e.g. 50 iexplorebulk) at the same time or when the box that runs the client VM is not very powerful or the connection to the Internet is slow. In those cases, simply increase the timeouts in the config.xml and try again.

13 . The revert of the virtual machine fails with error 136.

  • This error can occur on linux if the revert binary can not be executed. This could be due to missing executable flag or due to OS/lib incompatibilities. If the revert binary can not be executed from the command line, it is recommended to recompile the capture-server from scratch. See compile_README.txt for details.

14 . Starting Capture client from the command line, I get an error that states that Capture can't be executed

  • This failure is likely to be related to the C++ Redistributable Library Package. Capture 2.5.0 and above, requires C++ 2008 Redistributable Library Package without a service pack.