RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
This article reviews how to run tcpdump for troubleshooting authentication issues for Authentication Manager 8.x.
Authentication Manager includes the tcpdump utility in /usr/sbin. You must be logged in as root to run the commands.
- Open an SSH session or connect directly to the Authentication Manager primary server.
If SSH is not enabled, log onto the Operations Console and go to Administration > Operating System Access. Check the option to Enable SSH and click Save.
- Login as the rsaadmin user with the operating system password.
Note that during Quick Setup another username may have been selected. Use that username to login.
- Elevate privileges to root, using the same operating system password used in step 2.
- Navigate to /usr/sbin.
- Run the following command that will collect all traffic to or from the default SecurID port of 5500 (both UDP and TCP) and send the output to the screen. Note that the Z is capitalized:
./tcpdump -i eth0 -s 1514 -Z root port 5500
Tcpdump is a third-party utility included with the appliance, it is not an RSA tool. There are various websites that give detailed instructions and information for other options used by the tcpdump utility. Please refer to them to choose the appropriate options for troubleshooting your particular issue.
A few common examples of tcpdump
- Show all traffic to or from IP address 172.16.3.4 and send a summary to the screen:
./tcpdump -i eth0 -s 1514 -Z root host 172.16.3.4
- Write a file in /tmp named cap1.cap, with details of the capture. This file can then be analyzed in detail using a third-party tool such as Wireshark, or sent to RSA customer support for analysis.
./tcpdump -i eth0 -s 1514 -Z root -w /tmp/capture.pcap
- Change permissions on the file using something similar to the command shown here:
chmod 777 capture.pcap
- Use a third-party secure copy program such as WinSCP or FileZilla to copy it off the appliance.
For a more granular command that limits traffic captured to two IP addresses, use the following command. This approach allows you to monitor network traffic in real time and also keep a record for future investigation.
tcpdump -i eth0 -n -s 0 -w - -U "((host <IP address> or host <IP address>))" | tee /tmp/capture<date>.pcap | tcpdump -r - -n
Where,
-
- -i eth0: Specifies the network interface to capture packets from (in this case, eth0).
- -n: Prevents DNS resolution, displaying IP addresses instead of hostnames.
- -s 0: Captures the entire packet, not just the default snap length.
- -w -: Writes the output in pcap format to standard output (stdout) instead of a file.
- -U: Writes each packet to the output immediately as it arrives (unbuffered).
- "((host <IP address> or host <IP address>))": Filters the capture to only include traffic to or from the specified IP addresses.
- tee: Duplicates the output stream, saving a copy to /tmp/capture<date>.pcap and passing the same data to the next command in the pipeline.
- tcpdump -r -: Reads pcap data from standard input (the output of the previous command).
- -n: Prevents DNS resolution for the displayed output.
Related Articles
Troubleshooting an update issue with an RSA Authentication Manager 8.x Web Tier deployment Number of Views Troubleshooting AFX Server issues in RSA Identity Governance & Lifecycle Number of Views Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle Number of Views Fortigate SSL VPN Timeout Issue with Approve/Biometrics Number of Views Troubleshooting RSA Authentication Manager 8.1 native SecurID and RADIUS authentication issues Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
