000016395 - TCPDump for the Authentication Manager Appliance 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016395
Applies ToAuthentication Manager Version 8
IssueTCPDump for the appliance 8.x
Need to do a packet capture tcpdump
ResolutionThe RSA Appliance 8.x includes the tcpdump utility in the /usr/sbin directory , you need to be root to use it.  Typically it will be used by SSH, but you can also use the Linux console.  
If SSH is not enabled, log onto the Operations Console, go to Administration > Operating System Access, put a check in Enable SSH, Save.   and enable SSH.
Login with rsaadmin  and the Operating System Password.
sudo su       (it will ask for a password again, supply the operating system password again)
cd  /usr/sbin
When you are ready to run the Packet capture, an example of running tcpdump  is:
./tcpdump  -i  eth0  -s  1514  -Z  root  port  5500           (note, -Z is capitalized)
This example will collect all traffic to or from the securid 5500 port (both udp and tcp) , and send it to the screen.
Tcpdump is a third-party utility included with the appliance, it is NOT an RSA tool.  There are various websites that give detailed
instructions and information for other options used by the tcpdump utility, please see them to choose the appropriate options for troubleshooting your particular issue.  
A few common examples are below:
./tcpdump  -i  eth0  -s  1514  -Z  root  host
This example will show all traffic to or from IP Address , and send a summary to the screen.
./tcpdump  -i  eth0  -s  1514  -Z  root  -w  /tmp/cap1.cap   
 This example will write a file in /tmp named  cap1.cap, with details of the capture. This file can then be analyzed in detail using a third-party tool such as Wireshark, or sent to an RSA Engineer for analysis.  
Typically you will need to change permissions on the file using something similar to:
chmod  777  cap1.cap
and then use a third-party secure copy program such as  WinSCP to copy it off of the appliance.
Noteskeywords: tcpdump packet capture wireshark pcap sniffer trace
Legacy Article IDa63468