How to capture packets (pcap) using SilverTap for RSA Web Threat Detection
RSA Product Set: Web Threat Detection, Silver Tail RSA Product/Service Type: Forensics, SilverTap RSA Version/Condition: All
SilverTap section of Configuration Manager has several options for packet capture. These come under 3 main headings, Trace, Capture and Debug:
Trace Specialized version of pcap where the intention is to allow capture to be made only when specific strings are found in the packets. Tracing can be used to explore network traffic at a low level, or to investigate problems with the tap service. It is especially useful during initial installation and configuration. Trace has the following options:
enabled: Whether tracing is enabled. Since tracing can expose sensitive information, it is best to leave tracing disabled in normal operation.
pcapDirPath: e.g. /path/to/pcap/files/produced/by/tracing If the debug tracing feature is used, then pcap (packet capture) files can be generated for each session that matches the trace filter criteria. This setting controls the file system location where these pcap files are generated.
numTraces: Sets the initial number of sessions to be traced when tap starts. This value can also be controlled interactively from the /trace page.
numErrorTraces: Sets the initial number of sessions with errors to be traced when tap starts. This value can also be controlled interactively from the /trace page.
logSubstring: Specifies a string that a log entry must contain for a session to be considered desirable during tracing. This takes effect immediately when tap starts. This value can also be controlled interactively from the /trace page.
Capture Controls the creation of a ring buffer of pcap (packet capture) files.
enabled: Setting this flag enables packet capture as defined in this section.
base: e.g. base Base name of the files that comprise the ring buffer. For example, if this is 'base' (which is the default), the ring files are named base_0.pcap, base_1.pcap, etc.
numFiles: e.g. 10 Maximum number of pcap files in the ring buffer.
fileDurationSecs: e.g. 60 Each capture file in the ring buffer will contain this much data (in seconds). The default is 60.
Debug Various debugging features.
exitAfterKPackets: Exits after this many Kpackets. Default is to never exit.
shardByPort: Enables worker thread sharding to consider client and server port. This is only advisable in certain testing situations, since it can cause SSL session cache misses when cohorts using SSL session resume are processed.
options: List of debug options. The interpretation of this field may change in across versions of SilverTap.
packetBufferSize: e.g. 0, 10, 100 Number of packet headers that will be saved in each TCP stream object. These can make it easier to debug SilverTap using GDB, and will be used in the output of certain asserts. This option is very expensive, and should only be used at the direction of RSA WTD Customer Support.
sslCacheSweepInterval: e.g. 60 Time in seconds between the sweeps, which removes expired and evicted entries from the map. program
Note that everything can be achieved on the command line, see options below.
eg /var/opt/silvertail/bin/silvertap -f /var/opt/silvertail/etc/conf.d/SilverTap-wtd503/SilverTap-wtd503.conf -w testcap or for quick modification and test, copy the SilverTap-*.conf file and use as above with –f switch
-f --conf=<FILE> Specify a conf file.
-S --shard=<SHARD> Overrides <program shard="x"> in the conf file.
-l --license-file=<FILE> Specify a license file. The default is derived from the conf file by replacing .conf with .license.
-d --device=<ETH> The ethernet device to sniff. Defaults to eth0.
-D --dump-file=<FILE> Pcap dump file to fake traffic, or '-' to read from stdin. Overrides -d.
-p --ports=<PORT>[,<PORT>] The destination ports to sniff. Defaults to 80.
-i --stats-interval=<INT> The interval between performance stats sent to syslog. Defaults to 60.
-x --exit-after-kpackets=<INT> Exit after this many Kpackets. Defaults to never exit.
-z --debug-opt=<OPTION> Provide a debugging option.
-b --batch-limit=<INT> Specify batch limit size. Use -b 1 for low volume testing.
-y --facility=<STRING> The syslog facility to use. Implies -s. Good facility choices: user, local0, local1, ... local7. Unrecognized facility names are silently treated as 'user'.
-s --syslog Log to syslog.
-I --reincarnate Restart after exceeding memory limit.