Topic
  • 4 replies
  • Latest Post - ‏2016-09-22T13:21:16Z by Ayush_tachyon
Ayush_tachyon
Ayush_tachyon
5 Posts

Pinned topic Issues with PCAP Software Installation

‏2016-07-03T20:52:15Z | installation issues pcap qradar

Hello,

 

I am trying to install the IBM QRadar Packet Capture as a software (http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/t_qif_pac_sw_inst.html)

 

I am using the exact version of the OS (RHEL 6.5) and I have now done the installation several times just to make sure that there is no mistake while performing the steps (although it requires formatting the server all over again).  

 

During the installation, I get the following error:
rpm: /usr/lib64/libnssutil3.so: version 'NSSUTIL_3.17.1' not found (required by /usr/lib64/libnss3.so)

 

Afterwards, it says that the installation is successful and I can access UI, however, the packet capture functionality does not appear to work.  Also, common command such as rpm and ssh which stop working after the installation and it give the same error as above. The installer appears to be messing up some existing OS libraries. I had checked and these worked fine until before the installation.

 

Has anyone come across this error? I am stumped at this point and appreciate any suggestions to resolve this issue.

 

Also, I can't find any documentation on how to troubleshoot issues with PCAP e.g. where can I find the PCAP logs, how to start/ stop the PCAP server. Appreciate if anyone can guide me to this documentation as it does not appear to exist on IBM sites.

 

Thanks in advance.

 

Best regards,

Ayush

  • JonathanPechtaIBM
    JonathanPechtaIBM
    7 Posts

    Re: Issues with PCAP Software Installation

    ‏2016-07-05T15:47:22Z  

    Ayush,

     

    There is a definite documentation for the PCAP installation process that has been identified. I'm being told that the new documentation will be available tomorrow (July 6th). I'll update this forum discussion when official documentation is available.

    Some of the expected changes that the new documentation will discuss:

    1. 24GB of memory is required, instead of 16GB as specified. 
    2. Red Hat 6.7, which might be the root cause of your issue if the missing rpm file/dependency is not in RHEL6.5
    3. Three partitions need to be created before installation:
      Virtual Drive   RAID Level   Size
      0                      RAID1           128 GB
      1                      RAID1            3597 GB
      2                      RAID5            33527 GB
    4. There are also some BIOS settings that need to be configured by the user before installation.

     

    There is a known issue in the documentation and a change is being posted to resolve this issue very soon. I will update this post when that information is available. After the official documentation is posted, feel free to ask questions in the forum.

     

  • Ayush_tachyon
    Ayush_tachyon
    5 Posts

    Re: Issues with PCAP Software Installation

    ‏2016-07-07T13:17:47Z  

    Ayush,

     

    There is a definite documentation for the PCAP installation process that has been identified. I'm being told that the new documentation will be available tomorrow (July 6th). I'll update this forum discussion when official documentation is available.

    Some of the expected changes that the new documentation will discuss:

    1. 24GB of memory is required, instead of 16GB as specified. 
    2. Red Hat 6.7, which might be the root cause of your issue if the missing rpm file/dependency is not in RHEL6.5
    3. Three partitions need to be created before installation:
      Virtual Drive   RAID Level   Size
      0                      RAID1           128 GB
      1                      RAID1            3597 GB
      2                      RAID5            33527 GB
    4. There are also some BIOS settings that need to be configured by the user before installation.

     

    There is a known issue in the documentation and a change is being posted to resolve this issue very soon. I will update this post when that information is available. After the official documentation is posted, feel free to ask questions in the forum.

     

    Hi Jonathan,

     

    Thanks much for the clarification; I received similar advice from IBM Support. Yes, I understand that perhaps the disk space, RAM and BIOS requirements would be similar to the installation steps for IBM x3650 M4 or dell server. I shall try out the PCAP setup with RHEL 6.7 and update this post.

     

    Best regards,

    Ayush

  • Ayush_tachyon
    Ayush_tachyon
    5 Posts

    Re: Issues with PCAP Software Installation

    ‏2016-07-11T14:12:48Z  

    Hi Jonathan!

    As recommended  by IBM Support I have installed RHEL 6.7 and then ran the PCAP installer which I downloaded again as there was a newer version released on 28 June 2016. The installation runs and after the port details it asks for the RAID disk. When I provide the RAID disk (/dev/sdb in my case) it checks if the size is greater than 4000GB or not. On verifying that it is 36000GB then it says that the disk will be checked and it runs the following command:

     

               dd if=/dev/zero of=/dev/sda bs=1m count=4000 2>&1 | grep MB | grep GB

     

    I think the system is trying to pad 0s to each MB of the 33TB drive. When I had run into this scenario previously using the old installer it did not finish even after the process was running for 2 days. I was able to skip this with the previous installer if I entered some junk value but this time  I am not sure how long this process wil take.

     

    Am I doing something wrong here? Is this expected  behavior because usually the installation process should not take so long? 
    Appreciate any advice on this matter. 

     

    Thanks,
    Ayush

  • Ayush_tachyon
    Ayush_tachyon
    5 Posts

    Re: Issues with PCAP Software Installation

    ‏2016-09-22T13:21:16Z  

    I am not sure about other's experience but I have been struggling with mere installation of the PCAP module for 3-4 months now despite a PMR! I am posting here to discuss some issues that I think are potentially bugs in the software version of the installer. Perhaps no one has ever used the software version of the PCAP software but the installation never completes.

     

    Following is a code snippet from a script called freshinstall.sh. When the script runs it asks me to specify the raid partition for the storage (it is so restrictive that the script exits if your storage is less than 4000GB. The script sets this value (4000GB) as the value for miniTest in this loop:

    while [ $i -le $miniTest ]
    do
        sleep 1
        echo "dd if=/dev/zero of=${raid} bs=1M count=$miniTestCount 2>&1 | grep MB | grep GB"
        diskSpeed="$( dd if=/dev/zero of=${raid} bs=1M count=$miniTestCount 2>&1 | grep MB | grep GB )"
        arr=(${diskSpeed})
        echo "${arr[7]} ${arr[8]}"
        if [ "${arr[7]}" != "" ];
            then
                if [ "${arr[8]}" == "GB/s" ];
                    then
                        total=$(awk "BEGIN {print $total + ${arr[7]}*1000; exit}");
                        totalNum=`expr $totalNum + 1`;
                    else
                        total=$(awk "BEGIN {print $total + ${arr[7]} ; exit}");
                        totalNum=`expr $totalNum + 1`;
                fi
            else
                continue
        fi
        i=`expr $i + 1`
    done

    Notice that there is a sleep of perhaps 1 ms but it actually takes about 1 sec for the loop and the value is printed. Therefore the loop will run for a minimum of 1.5 hrs. In my case it ran for more than 24 hrs before I quit out of frustration. They don't even mention that you must wait for 2 hours for the installation to continue. Has anyone else come across this during their installation or is it only me?

     

    Thanks,

    Ayush