This article reviews how to run tcpump for troubleshooting authentication issues for Authentication Manager 8.x.
Authentication Manager includes the tcpdump utility in /usr/sbin. You must be logged in as root to run the commands.
- Open an SSH session or connect directly to the Authentication Manager primary server.
If SSH is not enabled, log onto the Operations Console and go to Administration > Operating System Access. Check the option to Enable SSH and click Save.
- Login as the rsaadmin user with the operating system password.
Note that during Quick Setup another username may have been selected. Use that username to login.
- Elevate privileges to root, using the same operating system password used in step 2.
- Navigate to /usr/sbin.
- Run the following command that will collect all traffic to or from the default SecurID port of 5500 (both UDP and TCP) and send the output to the screen. Note that the Z is capitalized:
./tcpdump -i eth0 -s 1514 -Z root port 5500
Tcpdump is a third-party utility included with the appliance, it is not an RSA tool. There are various websites that give detailed instructions and information for other options used by the tcpdump utility. Please refer to them to choose the appropriate options for troubleshooting your particular issue.
A few common examples of tcpdump
- Show all traffic to or from IP address 172.16.3.4 and send a summary to the screen:
./tcpdump -i eth0 -s 1514 -Z root host 172.16.3.4
- Write a file in /tmp named cap1.cap, with details of the capture. This file can then be analyzed in detail using a third-party tool such as Wireshark, or sent to RSA customer support for analysis.
./tcpdump -i eth0 -s 1514 -Z root -w /tmp/capture.cap
Note that to copy the capture from the server, you will need to:
- Change permissions on the file using something similar to the command shown here:
chmod 777 capture.cap
- Use a third-party secure copy program such as WinSCP or FileZilla to copy it off the appliance.
