Verify that the QRadar Network Packet Capture appliance is working

Check the user interface, or view the SmartNIC LEDs on the back of the appliance to verify that the appliance is functioning correctly.

If you are checking the LEDs, see Troubleshooting with external LEDs for more information.

Capture port verification

On the Dashboard tab in the Unit View widget, check the SmartNIC health data. The link status is shown, as well as the link speed for each port that is functioning.
Note: Link status and health of the system is visible even though data capture has not been started. This information is also available in the SMARTNIC Setup widget on the Admin tab.

Time Sync Verification

You can verify the time synchronization source and status in the SYSLOGS widget on the Admin tab. If there are issue, multiple messages might appear in the syslog entries; for example, if there are issues on the lock status of the SmartNIC.

Two types of messages

Two types of messages are logged as shown in the following examples:

  • A general entry, whenever the time synchronization source changes, or when the SmartNIC obtains or releases a lock against the time source.
  • A PTP entry, containing more detailed information about the exact status, if synchronizing against a PTP primary.

General Entry

Here is the syntax for a general entry:

Adapter < number > time-sync status:
In-Sync: < Yes | No >
Current time-sync reference: < OsTime | PTP >
Skew (ns): < number >
Clock rate adjustment (ns): < number >
Clock Hard Reset: < Yes | No >

Here is an example of a general entry:

Adapter 0 time-sync status:
In-Sync: Yes
Current time-sync reference: OsTime
Skew (ns): -1
Clock rate adjustment (ns): 503
Clock Hard Reset: No

PTP Entry

When an adapter is in PTP mode, there is an additional log entry that contains PTP relevant information. Here is the syntax for a PTP entry:

Adapter < number > PTP time-sync status:
PTP Time: "--" | < PTP clock time > [ "(TAI)" ]
Port: < IPv4_address > | < IPv6_address > | "IEEE 802.3"
Link Status: < Down | 10M | 100M >
IPv4 Subnet Mask: < IPv4_address >
IPv4 Gateway: < IPv4_address >
DHCP Enabled: "Yes" | "No"
Profile Id: < six_times_2_hex digits >
Profile: < Default | Telecom | Power >
Clock Id: < six_times_2_hex digits >
Domain: < number > | "--"
VLAN: < number >
Delay Mechanism: "E2E", "P2P", "N/A"
PTP Filter: "Min", "PDV", "None", "N/A"
DelayAssemetry: < number >
Clock State: "Faulty" | "INACTIVE" | "SLAVE" | "--"
Mean Path Delay: <number>
GM Clock Identity: < 16_hex_digits >

Here is an example of a PTP entry:

Adapter 0 time-sync status:
Adapter 0 PTP time-sync status:
PTP Time: Thu 26-May-2016 12:44:03.123456789 (TAI)
Port: 192.168.3.77
Link Status: 100M
IPv4 Subnet Mask: 192.168.3.0
IPv4 Gateway: 192.168.3.1
DHCP Enabled: Yes
Profile Id: 00:1b:19:00:01:00
Profile: Default
Clock Id: 00:0d:e9:03:a2:aa
Domain: 0
VLAN: 0
Delay Mechanism: E2E
PTP Filter: None
Delay Assemetry: 0
Clock State: SLAVE
Mean Path Delay: 0
GM Clock Identity: 000de9fffe03a2aa