2.4.130 Upgrade - No longer can retrieve PCAPs on Standalone

[ZacharyPax]

Version

2.4.130

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

48

RAM

128GB

Storage for /

500GB

Storage for /nsm

18TB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Since upgrading to 2.4.130, even after a full reboot, I am unable to retrieve PCAPs.

The only thing returned is: "No search results were found."

I am using Stenographer on a Standalone installation. The PCAPs are indeed being recorded, but the GUI simply does not retrieve them for me.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[ZacharyPax]

I should add that so-pcap-export with a regular stenographer query works as expected.

[reyesj2]

Can you share any errors found in /opt/so/log/sensoroni/sensoroni.log? If you aren't seeing any errors try tailing that file and executing another pull pcap via the UI

[ZacharyPax]

Sorry I didn't use the reply function in my other message.

After experimenting with different user agents and browsers, Chromium-based and Firefox-based, I have been unable to find a fix for this issue thus far.

[ZacharyPax]

Good morning and thanks for getting back to me!

At first I didn't see any errors but I was able to capture something. Please see below:

{"fields":{"jobId":REDACTED},"level":"info","timestamp":"2025-03-13T13:56:33.690978502Z","message":"Discovered pending job"}
{"fields":{"availableDataBeginDate":"2025-03-06T20:25:59.859637982Z","availableDataEndDate":"2025-03-13T13:54:33.691026706Z","jobBeginDate":"0001-01-01T00:00:00Z","jobEndDate":"0001-01-01T00:00:00Z","jobId":REDACTED},"level":"info","timestamp":"2025-03-13T13:56:33.69103989Z","message":"Skipping steno processor due to date range conflict"}
{"fields":{"availableDataBeginDate":"2025-02-10T16:23:58Z","availableDataEndDate":"2025-03-13T13:54:33.691089933Z","jobBeginDate":"0001-01-01T00:00:00Z","jobEndDate":"0001-01-01T00:00:00Z","jobId":REDACTED},"level":"info","timestamp":"2025-03-13T13:56:33.691092093Z","message":"Skipping suri processor due to date range conflict"}

(Please note that I manually redacted the job ID because I personally don't want the amount of PCAP jobs I run being public.)

This led me to believe that the job wasn't taking the time from the GUI. Upon checking the job in the GUI, I do see that there is no time range attached to the job when I create it with the GUI.

For whatever reason on my setup the GUI time selector thing doesn't actually apply a time, even after hitting apply. Manually typing a time in and using the "Custom Range" function also doesn't work. Manually typing a time and then hitting apply in the GUI also doesn't work.

I'm going to experiment with different browsers and see if it's a browser thing. There are however no console or network errors when I load the GUI so I'm not entirely sure.

Thanks for your help so far!

[reyesj2]

Is the time configured correctly on both the standalone and your machine?
If you switch back to suricata for pcap do you see the same behavior?

[dougburks]

Looks like this is a regression. I've created issue #14387 to work on this.

[ZacharyPax]

Sounds good, thank you so much.

[011248163264]

Hi have the same issue after update to 2.4.130

[dougburks]

@011248163264 Yes, as I mentioned above, this is a regression in 2.4.130. This should be fixed in the upcoming 2.4.140 release:
#14387

[dougburks]

@ZacharyPax @011248163264 we've just released Security Onion 2.4.140 which should resolve this issue. Please try updating and see if that helps.
https://blog.securityonion.net/2025/03/security-onion-24140-now-available.html

[011248163264]

ok i will update

[011248163264]

its not working, i have tryet with so-test and maked a pcap, the job is in the list but takes long time to finish,
and comes with "No search resluts found"

[dougburks]

@011248163264 Perhaps you are dealing with some other kind of issue. Please start a new discussion at https://github.com/Security-Onion-Solutions/securityonion/discussions/new?category=2-4 and provide full details about your system and how you're trying to request the pcap.

[ZacharyPax]

@dougburks I've just updated the instance and can confirm that the issue is indeed resolved! Thank you so much!

[dougburks]

Thanks for confirming @ZacharyPax !