000031155 - How to capture packets (pcap) using SilverTap for RSA Web Threat Detection

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000031155
Applies ToRSA Product Set: Web Threat Detection, Silver Tail
RSA Product/Service Type: Forensics, SilverTap
RSA Version/Condition: All
Resolution SilverTap section of Configuration Manager has several options for packet capture.
These come under 3 main headings, Trace, Capture and Debug:
User-added image
Specialized version of pcap where the intention is to allow capture to be made only when specific strings are found in the packets.
Tracing can be used to explore network traffic at a low level, or to investigate problems with the tap service. It is especially useful during initial installation and configuration.

Trace has the following options:
Whether tracing is enabled. Since tracing can expose sensitive information, it is best to leave tracing disabled in normal operation.
pcapDirPath: e.g. /path/to/pcap/files/produced/by/tracing
If the debug tracing feature is used, then pcap (packet capture) files can be generated for each session that matches the trace filter criteria. This setting controls the file system location where these pcap files are generated.
Sets the initial number of sessions to be traced when tap starts.
This value can also be controlled interactively from the /trace page.
Sets the initial number of sessions with errors to be traced when tap starts.
This value can also be controlled interactively from the /trace page.
Specifies a string that a log entry must contain for a session to be considered desirable during tracing. This takes effect immediately when tap starts.
This value can also be controlled interactively from the /trace page.
Controls the creation of a ring buffer of pcap (packet capture) files.
Setting this flag enables packet capture as defined in this section.
base: e.g. base
Base name of the files that comprise the ring buffer. For example, if this is 'base' (which is the default), the ring files are named base_0.pcap, base_1.pcap, etc.
numFiles: e.g. 10
Maximum number of pcap files in the ring buffer.
fileDurationSecs: e.g. 60
Each capture file in the ring buffer will contain this much data (in seconds). The default is 60.
Various debugging features.
Exits after this many Kpackets. Default is to never exit.
Enables worker thread sharding to consider client and server port. This is only advisable in certain testing situations, since it can cause SSL session cache misses when cohorts using SSL session resume are processed.
List of debug options. The interpretation of this field may change in across versions of SilverTap.
packetBufferSize: e.g. 0, 10, 100
Number of packet headers that will be saved in each TCP stream object. These can make it easier to debug SilverTap using GDB, and will be used in the output of certain asserts.
This option is very expensive, and should only be used at the direction of RSA WTD Customer Support.
sslCacheSweepInterval: e.g. 60
Time in seconds between the sweeps, which removes expired and evicted entries from the map.
Note that everything can be achieved on the command line, see options below.
eg /var/opt/silvertail/bin/silvertap -f /var/opt/silvertail/etc/conf.d/SilverTap-wtd503/SilverTap-wtd503.conf -w testcap
or for quick modification and test, copy the SilverTap-*.conf file and use as above with –f switch
-f --conf=<FILE>                                           
Specify a conf file.
-S --shard=<SHARD>                                  
Overrides <program shard="x"> in the conf file.
-l --license-file=<FILE>                               
Specify a license file. The default is derived from the conf file by replacing .conf with .license.
-d --device=<ETH>                                      
The ethernet device to sniff. Defaults to eth0.
-D --dump-file=<FILE>                               
Pcap dump file to fake traffic, or '-' to read from stdin. Overrides -d.
-p --ports=<PORT>[,<PORT>]                 
The destination ports to sniff. Defaults to 80.
-i --stats-interval=<INT>                           
The interval between performance stats sent to syslog. Defaults to 60.
-x --exit-after-kpackets=<INT>              
Exit after this many Kpackets. Defaults to never exit.
-z --debug-opt=<OPTION>                      
Provide a debugging option.
-b --batch-limit=<INT>                               
Specify batch limit size. Use -b 1 for low volume testing.
-y --facility=<STRING>                               
The syslog facility to use. Implies -s. 
Good facility choices: user, local0, local1, ... local7.
Unrecognized facility names are silently treated as 'user'.
-s --syslog                                                        
Log to syslog.
-I --reincarnate                                              
Restart after exceeding memory limit.
-T --enable-tracing                                      
Enable connection tracing.