Linux-UNIX: K-TAP parameters

These parameters affect the behavior of the K-TAP.

These parameters are located in the [TAP] section of the S-TAP properties file: guard_tap.ini.

Attention: These are advanced parameters and should be modified only by IBM Technical Support.
Table 1. K-TAP configuration parameters
GIM guard_tap.ini Default value Description
ktap_installed 1 Whether or not the Kernel Monitor module is installed. Valid values:
  • 0: no
  • 1: yes
STAP_KTAP_REQUEST_TIMEOUT ktap_request_timeout 5 Maximum amount of time, in seconds, to wait for a non-firewall verdict from S-TAP. It can have any value.

Can be set when pushing to a group of DB servers via GIM.

ktap_dbgev_ev_list 0 It is used to enable K-TAP trace log either through GUI or through guard_tap.ini file. Valid values:
  • 0: disable
  • 1: enable ktap trace log located under /var/tmp directory
ktap_dbgev_func_name all List of functions to log in K-TAP trace log. all= all the functions or we can specify specific function such as accept so we log in the log file only the accept functions. If you specify a function that is not relevant to the K-TAP trace log it won't log anything to the log.
ktap_fast_tcp_verdict 1 For TCP connections. Valid values:
  • 0: slow verdict. K-TAP sends information about the session to STAP to ask whether or not the traffic should be intercepted.
  • 1: fast verdict. K-TAP decides on its own.
In both cases, the network/exclude network parameters are checked against the incoming IP. From 10.1.4, the value is 1 after upgrade.
STAP_KTAP_FAST_FILE_VERDICT ktap_fast_file_verdict 1 Push file information to K-TAP for determining if pipe traffic should be intercepted. For TLI connection, K-TAP sends ioctl to the S-TAP to confirm that the session is the database connection configured in the IE by checking ports and IPs, when ktap_fast_file_verdict is set to 1, then K-TAP does not send the request to the S-TAP as long as the session's ports are in the range. Valid values:
  • 0: disable
  • 1: enable

Can be set when pushing to a group of DB servers via GIM.

STAP_KTAP_BUFFER_SIZE ktap_buffer_size 4194304 Advanced. The size, in bytes, of each K-TAP buffer. Reboot the server after making changes to this parameter.

Valid values: 1 MB - 32 MB

Can be set when pushing to a group of DB servers via GIM.

ktap_buffer_flush 0 Advanced. The way to send messages from K-TAP to S-TAP. Valid values:
  • 1: The S-TAP reads the entire K-TAP buffer and process all the packets in the buffer
  • 0: The S-TAP reads a fixed amount rather than the entire buffer
ktap_local_tcp 0 1=only intercept local connections (although previously intercepted connections are still captured) (this parameter is used for TCP connections)
STAP_KHASH_TABLE_LENGTH khash_table_length 24593 Length of the K-TAP table entries.

Valid values: integer

Can be set when pushing to a group of DB servers via GIM.

STAP_KHASH_MAX_ENTRIES khash_max_entries 8192 Maximum number of concurrent K-TAP table entries.

Valid values: integer

Can be set when pushing to a group of DB servers via GIM.

STAP_KTAP_FAST_SHMEM ktap_fast_shmem 1 Push shmem information to K-TAP to determine if shmem traffic should be intercepted. Valid values
  • 0: disable
  • 1: enable
Can be set when pushing to a group of DB servers via GIM.
STAP_KTAP_FSMON_BUFFER_SIZE ktap_fsmon_buffer_size 4194304 Advanced. Size of the K-TAP buffer for FS monitoring events, in bytes. Reboot the server after making changes to this parameter.

Valid values: 128 KB - 32 MB

Can be set when pushing to a group of DB servers via GIM.

STAP_ENABLE_KTAP_DYNAMIC_RING_BUFFERS enable_ktap_dynamic_ring_buffers 0 Dynamically adds and removes K-TAP buffers for each main connection during peak traffic, to prevent an overflow in the K-TAP buffer. If K-TAP failover happens, data in all buffers is moved to the new buffers.

Valid values:

  • 0: disabled
  • 1: enabled
Table 2. A-TAP and PCAP configuration parameters
GIM Parameter Default value Description
atap_exec_location /var/guard Location of the executable that is used when activating A-TAP by enabling the encryption box in the inspection engine section
db_request_handler_enable 0 Allow the database to access K-TAP without manual configuration (requires a defined db_user in the IE section).Valid values:
  • 0: Disabled
  • 1: Enabled
STAP_PCAP_READ_TIMEOUT pcap_read_timeout 0 Only PCAP traffic (non-K-TAP): PCAP packet buffer timeout, in milliseconds.
Do not change this value without consulting with Technical Support, after examining the problem and determining the losses (not capturing all the traffic) are caused due to PCAP/S-TAP related bottleneck.
Can be set when pushing to a group of DB servers via GIM.
STAP_PCAP_DISPATCH_COUNT pcap_dispatch_count 16 Number of PCAP packets to process at one time. Valid values:
  • 0: process entire buffer at once.
  • positive integer: number of packets
Do not change this value without consulting with Technical Support, after examining the problem and determining that the losses (not capturing all the traffic) are caused due to PCAP/S-TAP related bottleneck.
Can be set when pushing to a group of DB servers via GIM.
STAP_PCAP_BUFFER_SIZE pcap_buffer_size -1 Size of PCAP socket buffer, in kilobytes. This parameter is used for LINUX only. Valid values:
  • -1: maximum buffer possible ( rmem_max)
  • 1-65535: buffer size in kilobytes
Larger buffer mean that it's likely to have losses when there are busts of high volume traffic. If there is a burst of high traffic, PCAP captures everything, but the S-TAP (or PCAP-to-S-TAP flow) is not fast enough and cannot keep up with the traffic. To avoid losses, the yet-to-be-processed packets are buffered. The larger the buffer is, the more resilient it is against higher and longer bursts of high traffic. Do not change this value without consulting with Technical Support, after examining the problem and determining the losses (not capturing all the traffic) are caused due to PCAP/S-TAP related bottleneck.
Can be set when pushing to a group of DB servers via GIM.
pcap_backup_ktap 1 When this parameter is enabled, always start PCAP regardless if ktap_installed is enabled or not, as long as there is a Db2 defined in the IE.