Topic
  • 6 replies
  • Latest Post - ‏2013-08-23T13:51:08Z by 1XWY_TS_Teh
SystemAdmin
SystemAdmin
483 Posts

Pinned topic Add inspection engine and capture local and network traffic

‏2012-12-17T10:35:18Z |
Hi,

Can you someone please suggest how can I add inspection engine in order to capture local and network traffic?
I have already installed S-TAP with following properties in guard_tap.ini file.
tap_ip=database_server_ip
sqlguard_ip=Guardium_server_ip
tee_installed=1
ktap_installed=0
firewall_installed=0

I am able to see S-TAP reporting on guardium admin console in running state.
Updated on 2012-12-18T15:02:13Z at 2012-12-18T15:02:13Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    483 Posts

    Re: Add inspection engine and capture local and network traffic

    ‏2012-12-17T13:20:53Z  
    Hi Shyamal,

    In Unix, for monitoring network traffic, parameter "tee_installed" in guard_tap.ini should be set to zero and "ktap_installed" parameter should be set to 1 which will handle local traffic.
  • SystemAdmin
    SystemAdmin
    483 Posts

    Re: Add inspection engine and capture local and network traffic

    ‏2012-12-17T16:26:13Z  
    Hi,

    Previous answer is for the situation when k-tap is used.

    The value of the "tee_installed" parameter in guard_tap.ini can be specified as :
    " tee_installed "
    ; Monitor via the TEE: 0=NO, 1=YES ).
    ; Use zero to monitor network traffic only (ktap_installed=1 will handle local traffic).
  • SystemAdmin
    SystemAdmin
    483 Posts

    Re: Add inspection engine and capture local and network traffic

    ‏2012-12-18T05:20:22Z  
    Hi Abhinav,

    Thanks for your reply.

    I am installing S-TAP on Oracle Database hosted on AIX 6.1 64-bit.
    If I summaries your both the above posts, Do you mean that,
    1. If local traffic needs to be monitored K-TAP should be installed (i.e. ktap_installed=1 and tee_installed=0)
    2. If netework traffic needs to be monitored tee_TAP should be installed. (i.e. ktap_installed=0 and tee_installed=1)

    Correct me if I am wrong.

    Thanks
    Shyamal Dave.
  • SystemAdmin
    SystemAdmin
    483 Posts

    Re: Add inspection engine and capture local and network traffic

    ‏2012-12-18T15:02:13Z  
    Hi Abhinav,

    Thanks for your reply.

    I am installing S-TAP on Oracle Database hosted on AIX 6.1 64-bit.
    If I summaries your both the above posts, Do you mean that,
    1. If local traffic needs to be monitored K-TAP should be installed (i.e. ktap_installed=1 and tee_installed=0)
    2. If netework traffic needs to be monitored tee_TAP should be installed. (i.e. ktap_installed=0 and tee_installed=1)

    Correct me if I am wrong.

    Thanks
    Shyamal Dave.
    Hi, the answer is NO. If you used KTAP than you don't need TEE. To capture network traffics, you just need to specify the Client IP as 0.0.0.0 / 0.0.0.0 in the S-TAP Control. For Oracle, use the $ORACLE_HOME or check the actual path in the listener.ora and put it in Install Dir. For Process name, just use the path for Install Dir and continue with "/bin/oracle".

    All the best.
  • thengkl
    thengkl
    1 Post

    Re: Add inspection engine and capture local and network traffic

    ‏2013-08-23T03:23:46Z  
    Hi, the answer is NO. If you used KTAP than you don't need TEE. To capture network traffics, you just need to specify the Client IP as 0.0.0.0 / 0.0.0.0 in the S-TAP Control. For Oracle, use the $ORACLE_HOME or check the actual path in the listener.ora and put it in Install Dir. For Process name, just use the path for Install Dir and continue with "/bin/oracle".

    All the best.

    Hi,

    May I know what is Tee monitoring for? Cant we use K tap and Tee together?

  • 1XWY_TS_Teh
    1XWY_TS_Teh
    222 Posts

    Re: Add inspection engine and capture local and network traffic

    ‏2013-08-23T13:51:08Z  
    • thengkl
    • ‏2013-08-23T03:23:46Z

    Hi,

    May I know what is Tee monitoring for? Cant we use K tap and Tee together?

    TEE is the old method before KTAP available. You can only used either one. Actually, we no longer using TEE anymore, you can just ignore it.