Question & Answer
Question
In a Unix environment, K-TAP captures both network and local traffic and PCAP is rarely used as written in the product manual page of Unix S-TAP, but sometimes Technical Support might suggest to enable PCAP for diagnostic purpose or other specific reason. How to enable PCAP? Unix S-TAP http://pic.dhe.ibm.com/infocenter/igsec/v1/index.jsp?topic=%2Fcom.ibm.g…
Answer
Configure guard_tap.ini as follows and restart S-TAP to enable PCAP to capture network traffic.
Before) Use K-TAP for both network and local traffic
ktap_local_tcp=0
devices=none
After) Use PCAP for network and K-TAP for local traffic
ktap_local_tcp=1
devices=en1
Use 'devices' option to specify the interface name which traffic needs to be captured. If you need to capture traffic from more than one network interfaces, you can specify all the required interface names like "devices=en1,en2".
Note that K-TAP will continue capturing all the local traffic and existing connection of remote traffic. After restarting S-TAP, newly established network connections will be captured by PCAP. Please refer to the product manual page to know more about these guard_tap.ini parameters:
- K-TAP parameters
- ktap_local_tcp
- General parameters
- devices
[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"9.0;8.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21662385