Different PCAP retention period for two similar monitor traffic load of two sensors.

[ItzDeadShot]

I have a situation where two different sensors with similar monitor traffic load (~50-150 Mb/s most of the time) and similar /nsm storage of ~1TB have two very different PCAP retention periods.

Here are some useful information about the two sensors:

Sensor A

This sensor only has a pcap retention period of 1 day. I have tried to ignore the capture of SSL/tls traffic by ignoring 443 traffic, but it didn't make any improvement in the Pcap retention period. The following is the monitored traffic load for the past 7 days:

Here is the BPF filter that I am using:
not (port 443 or host 10.1.2.18 or portrange 3478-3481)

Sensor B

This sensor only has a pcap retention period of 240+ days. There is no BPF filter applied to this sensor. The following is the monitor traffic load for the past 7 days:

I would like your assistance in determining this behaviour. I have tried analyzing the traffic, but it seems to be normal traffic without any indication of this behaviour. Thank you for your assistance.

[dougburks]

What version of Security Onion are you using?

Are you using Stenographer or Suricata for full PCAP?

Are these two sensors in the same distributed deployment or are they in separate deployments?

Are these two sensors configured as forward nodes or heavy nodes?

What is the output of the following on each of the sensors?

df -h /nsm

sudo du -h --max-depth=1 /nsm