Docket "Download Result Unavailable"

I’m running into an issue in which Docket seems to execute all of the queries without any errors, however I do not get any pcap back into Docket.

The query_task State always goes to completed but the message I get is always “stenographer queries completed. No packets returned.” I have tried dozens of different queries and always seem to get this result.

Make sure to check your /etc/stenographer/config. file for the line containing “Port”: 1234

Then check /etc/docket/prod.yaml to make sure that that interface port is listed:
sudo vi /etc/docket/prod.yaml

STENOGRAPHER_INSTANCES:
  [{"ca": "/etc/pki/docket/sensor_ca_cert.pem", "host": "10.4.10.21", "cert": "/etc/pki/docket/docket-es1_sensor-sensor_cert.pem", "key": "/etc/pki/docket/docket_10.4.10.25_key.pem", "sensor": "sensor", "port": 1234},
  {"ca": "/etc/pki/docket/sensor_ca_cert.pem", "host": "10.4.10.21", "cert": "/etc/pki/docket/docket-es1_sensor-sensor_cert.pem", "key": "/etc/pki/docket/docket_10.4.10.25_key.pem", "sensor": "sensor", "port": 1235},
  {"ca": "/etc/pki/docket/sensor_ca_cert.pem", "host": "10.4.10.21", "cert": "/etc/pki/docket/docket-es1_sensor-sensor_cert.pem", "key": "/etc/pki/docket/docket_10.4.10.25_key.pem", "sensor": "sensor", "port": 1236}]

After modifications:

sudo rockctl stop
sudo rockctl start

After poking around some more, I’ve noticed the issue you are describing particularly with the event.dataset: flow/notice/weird. Not sure why it is, possibly to do with the type of data?

Thanks for the reply. I’ve double-checked the prod.yaml and it seems to be correct at least for my Stenographer instance running in a container on the box. I’m trying to run both docket and stenographer in separate containers on the same host but I actually don’t have any experience using RockNSM from the regular iso so please excuse me if I’m missing something.

Why does your yaml have 3 separate ports listed for stenographer? Are you running on three interfaces? I’m only seeing the issue with pulling PCAP and not with flow/notice/weird though. My understanding was that Docket only interacts with Stenographer and not with Bro/Zeek which I’m not yet running on my host.