QRadar Network Packet Capture hardware

IBM® QRadar® Network Packet Capture is an optional IBM QRadar appliance that can be used to store and manage data when no other network packet capture (PCAP) device is deployed. You can install any number of these appliances as a tap on a network or subnetwork to collect the raw packet data.

QRadar Network Packet Capture appliance

Before you can capture packets, you must configure QRadar Network Packet Capture network and connection settings.

The QRadar Network Packet Capture appliance can be identified by the wording “IBM QRadar PCAP G3” on the front panel of the hardware, as shown in the following diagram.

Figure 1. Front panel of the QRadar Network Packet Capture appliance
Image shows the front panel of a QRadar Network Packet Capture appliance with a 12 hard-disk drive configuration.

The QRadar Network Packet Capture appliance is installed with an Intel X520 Ethernet adapter, and a Napatech NT40E3-4-PTP SmartNIC.

The placement for the Intel X520 and Napatech NT40E3-4-PTP hardware can be seen in the following diagram, which shows the rear panel of the packet capture device:

Figure 2. Rear panel of the QRadar Network Packet Capture appliance
Image shows the back panel of a QRadar Network Packet Capture appliance, indicating the placement of both the Intel x520 and Napatech cards.

Napatech NT40E3-4-PTP SmartNIC

The Napatech NT40E3-4-PTP SmartNIC provides full packet capture and analysis with zero packet loss. You can capture data from up to four capture port sources with a single appliance. Capture ports can be reconfigured to enable port forwarding, that is you can capture on one port and mirror out another port.

Dual rate ports 10G/1G supports:
  • SFP+ 10GBASE-SR
  • SFP+ 10GBASE-RR
  • SFP 1000BASE-SX
  • SFP 1000BASE-LX
  • SFP 1000BASE-T

The following diagram shows the Napatech SR SFP+ modules installed (Avago) on an appliance:

Figure 3. Napatech SR SFP+ modules installed on an appliance
Image shows a Napatech appliance installed with four short-range SFP+ modules and a fiber connection.

The Napatech card is shipped with two sets of SFP+ modules. One set (four pieces) is Transceiver Dual SFP+ short range, and one set (four pieces) is Transceiver Dual SFP+ long range.

The following SFP+ modules are approved for use with the Napatech card:
  • IBM D10E7LL 10G LR Avago (Included: 4 pieces)
  • IBM D10E8LL 10G SR Avago (Included: 4 pieces)
  • Napatech 802-0039-01-01 10G SR Finisar
  • Napatech 10G LR 802-0039-01-01 Finisar
The following SFP+ modules are approved for use with the Intel X520 card:
  • IBM D10E8LL 10G SR Avago (Included: 2 pieces)
  • Lenovo 46C3447 10G SR Avago
  • Lenovo 46C3447 10G SR Finisar
  • Intel E10GSFPSR 1/10G SX/R Finisar
  • Intel E10GSFPSR 1/10G SX/R Avago
  • Intel E10GSFPLR 1/10G LX/R Finisar