Installing and using packet capture tools for the 8 and 9 series of the Layer 7 Gateway

Document ID : KB000009563
Last Modified Date : 26/03/2019
Show Technical Document Details
Introduction:
  • At times, it is necessary to capture network traffic received by and sent from the Gateway appliance. The Gateway appliance does not come with the necessary packages to do this by default. This article describes the steps required to install the necessary RPMs and a basic command that can be used to generate a packet capture.
Environment:
  • API Gateway 8.x and 9.x series
Instructions:
  • The following steps should be followed for installing the tcpdump application if it does not already exist on the appliance.
  1. Download the compressed archive attached to this article to a workstation.
  2. Upload the contents of the compressed archive to the Gateway appliance via SFTP or SCP as the ssgconfig user.
  3. Log into the Gateway appliance as the ssgconfig user.
  4. Select Option #3: Use a privileged shell (root).
  5. Install the libpcap RPM: rpm -i -vh /home/ssgconfig/libpcap-1.4.0-4.20130826git2dbcaa1.el6.x86_64.rpm
  6. Install the tcpdump RPM: rpm -i -vh /home/ssgconfig/tcpdump-4.0.0-9.20090921gitdf3cb4.2.el6.x86_64.rpm
  • Note: The /home/ssgconfig/ path may need to be adjusted to reflect the actual path the files were uploaded to on the appliance.
  • The following command is used to run the tcpdump application: tcpdump -s 0 -i any -w /home/ssgconfig/case_number.cap
    • The -s option specifies where the packet capture will start. This should always be "0."
    • The -w option specifies where the packet capture will be written to on the file system.
    • The -i option specifies an interface to perform a capture against. Valid options would be (but are not limited to): eth0, eth1, eth2, lo, or any
    •  The tcpdump application supports a wide array of options that are documented in the application's documentation or its formal manual page on the Gateway appliance. A cross-platform application exists to interpret and display packet captures in a human-readable format. Wireshark can be used to view the output from tcpdump.
Additional Information:
  • If required for security policies, the RPMs should be uninstalled after the data has been captured and analysed. Otherwise, it can be useful to leave them installed as it can save a lot of time in the future when it may be necessary again to capture network traffic.
File Attachments:
tcpdump_files.zip