IBM Support

Capturing network traffic on QRadar Network Security sensors

Question & Answer


Question

How do you capture traffic that is passing through the protection and management interfaces of a QRadar Network Security (XGS) sensor?

Answer

 
The 5.3 firmware release for the XGS sensor added the ability to gather packet captures on the appliance. This article describes how you can configure the limits for packet captures along with how to create captures for the different interface types present on the sensor.
 

Packet capture tuning parameters

Description: Sets the maximum file count for capture files.
Default: 10000
Minimum: 10
Maximum: 20000

Name: pktcap.file.maxsize
Description: Sets the maximum individual capture file size in bytes.
Default: 5000000
Minimum: 1000000
Maximum: 500000000

Name: pktcap.file.timeout
Description: Sets the maximum capture timeout period in seconds.
Default: 120
Minimum: 0
Maximum: 86400

Name: pktcap.diskspace.percent
Description: Sets the maximum allowed disk space utilization in percent of total disk space.
Default: 4
Minimum: 1
Maximum: 20

Name: pktcap.alpsd.interval
Description: Sets the period in seconds for monitoring capture timeout.
Default: 60
Minimum: 1
Maximum: 3600

After configuring the parameters, use the following instructions to verify that your settings were accepted by the appliance.
 

  1. Log in to the XGS using the admin account via SSH connection.
  2. Navigate to the capture submenu by entering the following sequence of commands:

    tools
    capture
  3. Enter the following command:

    limits

The following tuning parameters can be added to the sensor to modify its default behavior in regard to packet capture size and time limitations.

Protection interface captures

  1. Log in to the XGS using the admin account via SSH connection.
  2. Navigate to the pinterface submenu by entering the following sequence of commands:

    tools
    capture
    pinterface
  3. Run the show command to ensure that there are no filters applied. If any filters are present, enter the remove command to clear them. Once there are no filters, enter the add command to add a generic filter as shown below:

    xgs5100:pinterface> add
    Added Filter (id=1)

    xgs5100:pinterface> show
    Id Interface Saddr Sport Daddr Dport Vlan Proto eType
    1 any any any any any any any any

    Notes:
    • It is highly recommended to add a more specific filter than the basic example listed above.
    • To capture traffic from a specific IP, you can use ifname X.X src host x.x.x.x, where X.X is the interface and x.x.x.x is the source IP address.
    • To capture traffic on a specific interface, you can use the ifname X.X filter. For example, to only capture traffic on interface 1.3, you would enter add ifname 1.3 for your filter.
    • You can make use of the starthelp command for detailed usage for protection interface filtering and capture.
    • If an additional filter is added, id=2 for example, and you delete filter 1 (id=1), the capture will fail to record any traffic. Filter 1 (id=1) must be present in order for the capture to function.
  4. Start the packet capture by entering the start command. This will cause the capture to run until it reaches one of the pre-defined limits that are described in the "Packet capture tuning parameters" section of this article.

    If you want the capture to run for a set time and then stop, include the T option, specifying time interval in seconds (minimum: 60). This will cause the packet capture to continue for the specified amount of time, or until the maximum size (default: 5 MB) is reached. If the time interval is not set, the packet capture will continue until stopped manually or until it reaches the other defined capture limits.

    If you want to capture more than the pre-defined file size of traffic, include the C, W, and w options, specifying the maximum size in MB, maximum number of files (value between 1 and 10), and the base file name.

    Example: If you want to gather a capture for 60 seconds, with a maximum of ten 20 MB files gathered, you would enter the following command:

    start -T 60 -C 20 -W 10 -w test.pcacp

    Important: Packet captures can grow very large when capturing high volume network segments.
  5. Replicate the issue that you are trying to capture.
  6. Stop the capture manually with the stop command or wait for it to reach your configured time limit.
  7. Download the captures from the XGS sensor.
    • To download the captures to a connected USB device, enter the back command to return to the capture menu and then enter the download command.
    • Download the packet capture files from the Local Management Interface (LMI) by going to Manage System Settings > System Settings > Packet Captures.
  8. Add the capture file(s) to a compressed file. Send the compressed file containing the logs to IBM Support using Enhanced Customer Data Repository (ECuRep) .

The management interfaces are used by the sensor to allow users access to the Local Management Interface (LMI) and to communicate with the SiteProtector management software when registered there.

Management interface captures

  1. Log in to the XGS using the admin account via SSH connection.
  2. Navigate to the minterface submenu by entering the following sequence of commands:

    tools
    capture
    minterface
  3. Use the tcpdump command to run the capture on the system.

    Example: If you want to capture traffic to and from the 198.168.1.2 address on the M.1 interface and save it to a file named mcapture.cap, you would enter:

    tcpdump -i M.1 -n host 198.168.1.2 -w mcapture.cap

    Note: You can review detailed usage instructions for the command by entering tcpdumphelp.
  4. Replicate the issue that you are trying to capture.
  5. Type Ctrl + C to stop the capture.
  6. Download the captures from the XGS sensor.
    • To download the captures to a connected USB device, enter the back command to return to the capture menu and then enter the download command.
    • Download the packet capture files from the Local Management Interface (LMI) by going to Manage System Settings > System Settings > Packet Captures.
  7. Add the capture file(s) to a compressed file. Send the compressed file containing the logs to IBM Support using Enhanced Customer Data Repository (ECuRep) .

The protection interfaces are used by the sensor to scan network traffic for security issues.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Component":"Command Line Interface (CLI)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3;5.3.1;5.3.2;5.3.3;5.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
20 September 2022

UID

swg21883213

Page Feedback