on Jun 14, 2016Article Content
| Article Number | 000016395 |
| Applies To | Authentication Manager Version 8 |
| Issue | TCPDump for the appliance 8.x Need to do a packet capture tcpdump |
| Resolution | The RSA Appliance 8.x includes the tcpdump utility in the /usr/sbin directory , you need to be root to use it. Typically it will be used by SSH, but you can also use the Linux console. If SSH is not enabled, log onto the Operations Console, go to Administration > Operating System Access, put a check in Enable SSH, Save. and enable SSH. Login with rsaadmin and the Operating System Password. sudo su (it will ask for a password again, supply the operating system password again) cd /usr/sbin When you are ready to run the Packet capture, an example of running tcpdump is: ./tcpdump -i eth0 -s 1514 -Z root port 5500 (note, -Z is capitalized) This example will collect all traffic to or from the securid 5500 port (both udp and tcp) , and send it to the screen. Tcpdump is a third-party utility included with the appliance, it is NOT an RSA tool. There are various websites that give detailed instructions and information for other options used by the tcpdump utility, please see them to choose the appropriate options for troubleshooting your particular issue. A few common examples are below: ./tcpdump -i eth0 -s 1514 -Z root host 172.16.3.4 This example will show all traffic to or from IP Address 172.16.3.4 , and send a summary to the screen. ./tcpdump -i eth0 -s 1514 -Z root -w /tmp/cap1.cap This example will write a file in /tmp named cap1.cap, with details of the capture. This file can then be analyzed in detail using a third-party tool such as Wireshark, or sent to an RSA Engineer for analysis. Typically you will need to change permissions on the file using something similar to: chmod 777 cap1.cap and then use a third-party secure copy program such as WinSCP to copy it off of the appliance. |
| Notes | keywords: tcpdump packet capture wireshark pcap sniffer trace |
| Legacy Article ID | a63468 |