Topic
  • 3 replies
  • Latest Post - ‏2015-11-02T21:54:09Z by TSilliman
ViktorI
ViktorI
2 Posts

Pinned topic Installation of QRadar Packet Capture 7.2.5 (Capture NIC requirements)

‏2015-10-28T13:32:55Z | nic

Hi,

I have installed QRadar Packet Capture 7.2.5 on own server. The server is IBM System X, and has all the necessary requirements, except for the quad port Intel card (Intel E1G44ET2BLK)

The server is running but I can't start a capture on any port. The server is intended for test purposes, and the traffic that will capture will be of low volume. 

Is this card (Intel E1G44ET2BLK) a mandatory? The card that I use is on-board Intel I350, and it supports igb_uio.

 

Regards.

  • TSilliman
    TSilliman
    6 Posts

    Re: Installation of QRadar Packet Capture 7.2.5 (Capture NIC requirements)

    ‏2015-10-29T21:28:17Z  

    Hello,

     

    Let me look to see what the possibilities are for using the on-board NIC to test your system.  I know that by default the Intel NIC cannot be bound to an eth# interface because the processes bind directly during their start-up procedure.  I believe that it is expecting to bind to interface 0. Also, which file did you download to install as it must be the proper software version to work?

     

    Thanks - Tom

  • ViktorI
    ViktorI
    2 Posts

    Re: Installation of QRadar Packet Capture 7.2.5 (Capture NIC requirements)

    ‏2015-10-30T08:37:32Z  

    Hello,

     

    Let me look to see what the possibilities are for using the on-board NIC to test your system.  I know that by default the Intel NIC cannot be bound to an eth# interface because the processes bind directly during their start-up procedure.  I believe that it is expecting to bind to interface 0. Also, which file did you download to install as it must be the proper software version to work?

     

    Thanks - Tom

    Thomas,

     

    I've followed the IBM manual. I've installed a new RHEL 6.5 installation. I've installed the packet capture software from RHE664PacketCapture7_2_5_229SW.sfs.

    After installation packet capture didn't worked, so I've tried manual bind with "/usr/local/nc/bin/dpdk_nic_bind.py", then changed the "/usr/local/nc/bin/startup_cmds.sh" script so it can reflect my environment. At last I have reinstalled the OS made a changes in "installer.sh". I saw that the Intel E1G44ET2BLK is explicitly defined, so I made changes so I can use my card.

    Now i have the first 2 ports of my Intel I350 card bound at startup ( /usr/local/nc/bin/dpdk_nic_bind.py --status). And of course i cant use them as "normal" ports.

    I should mention that I've tried with Intel PRO and Broadcom NetXtreme II cards with no success.

     

    So can you help me to get it work with another card which is DPDK compatible. As I mentioned the system is for testing purpose. It is a standalone Incident Forensics + Packet Capture. If we decide to implement as a production environment a dedicated appliance will be considered at first.

     

    Thanks.

  • TSilliman
    TSilliman
    6 Posts

    Re: Installation of QRadar Packet Capture 7.2.5 (Capture NIC requirements)

    ‏2015-11-02T21:54:09Z  
    • ViktorI
    • ‏2015-10-30T08:37:32Z

    Thomas,

     

    I've followed the IBM manual. I've installed a new RHEL 6.5 installation. I've installed the packet capture software from RHE664PacketCapture7_2_5_229SW.sfs.

    After installation packet capture didn't worked, so I've tried manual bind with "/usr/local/nc/bin/dpdk_nic_bind.py", then changed the "/usr/local/nc/bin/startup_cmds.sh" script so it can reflect my environment. At last I have reinstalled the OS made a changes in "installer.sh". I saw that the Intel E1G44ET2BLK is explicitly defined, so I made changes so I can use my card.

    Now i have the first 2 ports of my Intel I350 card bound at startup ( /usr/local/nc/bin/dpdk_nic_bind.py --status). And of course i cant use them as "normal" ports.

    I should mention that I've tried with Intel PRO and Broadcom NetXtreme II cards with no success.

     

    So can you help me to get it work with another card which is DPDK compatible. As I mentioned the system is for testing purpose. It is a standalone Incident Forensics + Packet Capture. If we decide to implement as a production environment a dedicated appliance will be considered at first.

     

    Thanks.

    Hello,

     

    I am looking into whether this card is a requirement or what the workaround might be.

     

    Thanks - Tom