S-TAP Control: Inspection Engines

Understand the parameters in the Inspection Engines section of the S-TAP Control page.

Each inspection engine has a set of parameters. The parameters for each IE depend on the type of database.
Note: Inspection engines are created automatically. Do not change the parameter values unless instructed to do so by Technical Support.
Parameter Default value Description
Protocol   The type of data repository being monitored.
Instance Name   The name of the database instance on this server. Required when MS SQL Server is using encryption, or MS SQL Server using Kerberos Authentication. (MSSQLSERVER is the default.)
Port range   Starting port range specific to the database instance. Together with port_range_end defines the range of ports monitored for this database instance. There is usually only a single port in the range. For a Kerberos inspection engine, set the start and end values to 88-88. If a range is used, do not include extra ports in the range, as this could result in excessive resource consumption while the S-TAP attempts to analyze unwanted traffic.
Port range   Ending port range specific to the database instance.
Named Pipe   Specifies the named pipe used by MS SQL Server for local access. If a named pipe is used, but nothing is specified in this parameter, S-TAP attempts to retrieve the named pipe name from the registry.
KTAP DB Real Port 4100 Used only when the K-TAP monitoring mechanism is used. Identifies the database port to be monitored by the K-TAP mechanism.
Client Ip/Mask   Identifies the clients to be monitored, using a list of addresses in IP address/mask format: n.n.n.n/m.m.m.m. If an improper IP address/mask is entered, the S-TAP does not start. Valid values:
  • null=select all clients
  • 127.0.0.1/255.255.255.255=local traffic only
networks and exclude networks cannot be specified simultaneously.

If the IP address is the same as the IP address for the database server, and a mask of 255.255.255.255 is used, only local traffic will be monitored. An address/mask value of 1.1.1.1/0.0.0.0 monitors all clients.

Exclude Client Ip/Mask   A list of client IP addresses and corresponding masks that are excluded from monitoring. This option allows you to configure the S-TAP to monitor all clients, except for a certain client or subnet (or a collection of these). networks and exclude networks cannot be specified simultaneously.
TEE Listen Port-Real Port 12344 Deprecated. Replaced by the parameter real_db_port when the K-TAP monitoring mechanism is used.

Was required when the TEE monitoring mechanism. The Listen Port is the port on which S-TAP listens for and accepts local database traffic. The Real Port is the port to which S-TAP forwards traffic.

Connect To Ip 127.0.0.1 IP address for S-TAP to use to connect to the database. Some databases accept local connection only on the real IP address of the machine, and not on the default (127.0.0.1). When K-TAP is enabled, this parameter is used for Solaris zones and AIX WPARs and it should be the zone IP address in order to capture traffic.

When Tee is enabled, this parameter is the IP address for S-TAP to use to connect to the database. Some databases accept local connection on 127.0.0.1, while others accept local connection only on the 'real' IP of the machine and not on the default (127.0.0.1).

DB User  
DB Install Dir NULL DB2, Informix, or Oracle: Enter the full path name for the database installation directory. For example: /home/oracle10. All other database types enter: NULL
Process Name   Database's running executables that are to be monitored. For example, a DB2 IE would be TAP_DB_PROCESS_NAMES=DB2SYSCS.EXE
DB2 Shared Mem. Adjust. 20 Required when DB2 is selected as the database type, and shared memory connections are monitored. The offset to the server's portion of the shared memory area. Offset to the beginning of the DB2 shared memory packet, depends on DB2 version, 32 in the earlier versions, 80 in 8.2.1 and later.
DB2 Sh. Mem. Client Pos. 61440 The offset to the client's portion of the shared memory area. Required when DB2 is selected as the database type, and shared memory connections are monitored. The client offset can be calculated by taking the value of the DB2 parameter ASLHEAPSZ and multiplying by 4096 to get the appropriate offset. The default for this parameter is 61440 decimal. This parameter is calculated by taking the DB2 database configuration value of ASLHEAPSZ and multiplying by 4096. To get the value for ASLHEAPSZ, execute the following DB2 command: db2 get dbm cfg and look for the value of ASLHEAPSZ. This value is typically 15 which yields the 61440 default. If it's not 15, take the value and multiply by 4096 to get the appropriate client offset.
DB2 Shared Mem. Size   DB2 shared memory segment size. Required when DB2 is selected as the database type, and shared memory connections are monitored.
NULL For Oracle or MS SQL Server only, when named pipes are used. For Oracle, the list usually has two entries: oracle.exe,tnslsnr.exe. For MS SQL Server, the list is usually just one entry: sqlservr.exe. For a DB2, Oracle, or Informix database, enter the full path name for the database executable. For example:
  • Oracle: /home/oracle10/prod/10.2.0/db_1/bin/oracle
  • Informix: /INFORMIXTMP/.inf.sqlexec. Applies to all Informix platforms but Linux.
  • Informix with Linux, example: /home/informix11/bin/oninit
  • MYSQL: mysql
  • All other database types: NULL
Encryption 0

Activate ASO or SSL encrypted traffic for Oracle (versions 11 and 12) and Sybase on Solaris, HPUX and AIX.

For Oracle, specify db_version in the ini file (e.g. db_version=12)

For any Oracle requiring instrumentation, if you are using encryption=1 in the guard_tap.ini (which is not supported on Linux), you must instrument prior to setting that parameter.

  1 1=database traffic participates in load balancing. 0=database traffic does not participate in load balancing.
Intercept Types NULL
Protocol types that are intercepted by the IE. Valid values:
  • NULL: auto intercepts all protocols the Database supports
  • Comma separated list: IE intercepts these protocol types only.
Identifier NULL Optional. Used to distinguish inspection engines from one another. If you do not provide a value for this field, Guardium auto populates the field with a unique name using the database type and GUI display sequence number.
DB Version 9 The database version. Used for capturing A-TAP traffic.
Unix Socket Marker Null Specifies UNIX domain sockets marker for Oracle, MySQL and Postgres. Usually the default value is correct, but when the named pipe or UNIX domain socket traffic does not work then you need to make sure this value is set correctly. For example, for Oracle, unix_domain_socket_marker should be set to the KEY of IPC defined in tnsnames.ora. If it is NULL or not set, the S-TAP uses defined default markers identified as: * MySQL - "mysql.sock" * Oracle - "/.oracle/" * Postgres - ".s.PGSQL.5432"