Linux-UNIX: K-TAP parameters
These parameters affect the behavior of the K-TAP.
These parameters are located in the [TAP] section of the S-TAP properties file: guard_tap.ini.
Attention: These are advanced parameters and should be
modified only by IBM Technical Support.
GIM | guard_tap.ini | Default value | Description |
---|---|---|---|
ktap_installed | 1 | Whether or not the Kernel Monitor module is installed. Valid values:
|
|
STAP_KTAP_REQUEST_TIMEOUT | ktap_request_timeout | 5 | Maximum amount of time, in seconds, to wait for a non-firewall verdict from
S-TAP. It
can have any value. Can be set when pushing to a group of DB servers via GIM. |
ktap_dbgev_ev_list | 0 | It is used to enable K-TAP trace log
either through GUI or through guard_tap.ini file. Valid values:
|
|
ktap_dbgev_func_name | all | List of functions to log in K-TAP trace log. all= all the functions or we can specify specific function such as accept so we log in the log file only the accept functions. If you specify a function that is not relevant to the K-TAP trace log it won't log anything to the log. | |
ktap_fast_tcp_verdict | 1 | For TCP connections. Valid values:
|
|
STAP_KTAP_FAST_FILE_VERDICT | ktap_fast_file_verdict | 1 | Push file information to K-TAP for determining
if pipe traffic should be intercepted. For TLI connection, K-TAP sends ioctl to
the S-TAP to
confirm that the session is the database connection configured in the IE by checking ports and IPs,
when ktap_fast_file_verdict is set to 1, then K-TAP does not send
the request to the S-TAP as long as the
session's ports are in the range. Valid values:
Can be set when pushing to a group of DB servers via GIM. |
STAP_KTAP_BUFFER_SIZE | ktap_buffer_size | 4194304 | Advanced. The size, in bytes, of each K-TAP buffer. Reboot
the server after making changes to this parameter. Valid values: 1 MB - 32 MB Can be set when pushing to a group of DB servers via GIM. |
ktap_buffer_flush | 0 | Advanced. The way to send messages from K-TAP to S-TAP. Valid
values:
|
|
ktap_local_tcp | 0 | 1=only intercept local connections (although previously intercepted connections are still captured) (this parameter is used for TCP connections) | |
STAP_KHASH_TABLE_LENGTH | khash_table_length | 24593 | Length of the K-TAP table entries.
Valid values: integer Can be set when pushing to a group of DB servers via GIM. |
STAP_KHASH_MAX_ENTRIES | khash_max_entries | 8192 | Maximum number of concurrent K-TAP table entries.
Valid values: integer Can be set when pushing to a group of DB servers via GIM. |
STAP_KTAP_FAST_SHMEM | ktap_fast_shmem | 1 | Push shmem information to K-TAP to determine if
shmem traffic should be intercepted. Valid values
|
STAP_KTAP_FSMON_BUFFER_SIZE | ktap_fsmon_buffer_size | 4194304 | Advanced. Size of the K-TAP buffer for FS
monitoring events, in bytes. Reboot the server after making changes to this parameter. Valid values: 128 KB - 32 MB Can be set when pushing to a group of DB servers via GIM. |
STAP_ENABLE_KTAP_DYNAMIC_RING_BUFFERS | enable_ktap_dynamic_ring_buffers | 0 | Dynamically adds and removes K-TAP buffers for each main connection during peak traffic, to
prevent an overflow in the K-TAP buffer. If K-TAP failover happens, data in all buffers is moved to
the new buffers. Valid values:
|
GIM | Parameter | Default value | Description |
---|---|---|---|
atap_exec_location | /var/guard | Location of the executable that is used when activating A-TAP by enabling the encryption box in the inspection engine section | |
db_request_handler_enable | 0 | Allow the database
to access K-TAP without manual
configuration (requires a defined db_user in the IE section).Valid values:
|
|
STAP_PCAP_READ_TIMEOUT | pcap_read_timeout | 0 | Only PCAP traffic
(non-K-TAP):
PCAP packet
buffer timeout, in milliseconds. Do not change this value without consulting with Technical Support, after examining the problem and determining the losses (not capturing all the traffic) are caused due to PCAP/S-TAP related bottleneck. Can be set when pushing to a group of DB servers via GIM. |
STAP_PCAP_DISPATCH_COUNT | pcap_dispatch_count | 16 | Number of PCAP packets to
process at one time. Valid values:
Can be set when pushing to a group of DB servers via GIM. |
STAP_PCAP_BUFFER_SIZE | pcap_buffer_size | -1 | Size of PCAP socket buffer,
in kilobytes. This parameter is used for LINUX only. Valid values:
Can be set when pushing to a group of DB servers via GIM. |
pcap_backup_ktap | 1 | When this parameter is enabled, always start PCAP regardless if ktap_installed is enabled or not, as long as there is a Db2 defined in the IE. |