Forwarding packets to QRadar Network Packet Capture

You can monitor network traffic by sending raw data packets to a IBM QRadar Flow Collector 1310 appliance. The QRadar Flow Collector uses a dedicated Napatech monitoring card to copy incoming packets from one port on the card to a second port that connects to a QRadar Network Packet Capture appliance.

If you already have a QRadar Flow Collector 1310 with a 10G Napatech network card, you can mirror the traffic to QRadar Network Packet Capture.

As shown in the following diagram, if you already have a QRadar Flow Collector 1310 with a 10G Napatech network card, you can mirror the traffic to QRadar Network Packet Capture.

Figure 1. Packet data forwarding from a QRadar Flow Collector to QRadar Network Packet Capture by using the Napatech card
Port mirroring from a QRadar Flow Collector to QRadar Network Packet Capture

Before you begin

Ensure that the following hardware is set up in your environment:
  • You attached the cable to port 1 of the Napatech card on the QRadar Flow Collector 1310 appliance.
  • You attached the cable that is connected to port 2 of the Napatech card, which is the forwarding port, to the QRadar Network Packet Capture appliance.
  • Verify layer 2 connectivity by checking for link lights on both appliances.

Procedure

  1. Using SSH from your IBM QRadar Console, log in to QRadar Flow Collector as the root user. On the QRadar Flow Collector appliance, edit the following file.

    /opt/qradar/init/apply_tunings

    1. Locate the following line, which is around line 137.
      apply_multithread_qflow_changes()
      {        
           APPLIANCEID=`$NVABIN/myver -a`  
           if [ "$APPLIANCEID" == "1310" ]; then
                MODELNUM=$(/opt/napatech/bin/AdapterInfo 2>&1 | grep "Active FPGA Image" | cut -d'-' -f2)
                if [ "$MODELNUM" == "9220" ]; then..
    2. In the AppendToConf lines that follow the code in the preceding step, add these lines:
      AppendToConf SV_NAPATECH_FORWARD YES    
      AppendToConf SV_NAPATECH_FORWARD_INTERFACE_SRCDST "0:1"

      These statements enable packet forwarding, and forward packets from port 0 to port 1.

    3. Ensure that multithreading is enabled, by verifying that the following line is in the /opt/qradar/conf/nva.conf
      file.

      MULTI_THREAD_ON=YES

  2. Run the apply_tunings script to update the configuration files on the QRadar Flow Collector, by typing the following command:

    ./apply_tunings restart

  3. Restart IBM QRadar services by typing the following command:

    systemctl restart hostcontext

  4. Optional: Verify that your Napatech card is receiving and transmitting data.
    1. To verify that the Napatech card is receiving data, type the following command:

      /opt/napatech/bin/Statistics -dec -interactive

      The "RX" packet and byte statistics increment if the card is receiving data.

    2. To verify that the Napatech card is transmitting data, type the following command:

      /opt/napatech/bin/Statistics -dec -interactive

      The "TX" statistics increment if the card is transmitting data.

  5. Verify that your QRadar Network Packet Capture is receiving packets from your QRadar Flow Collector appliance.
    1. Using SSH from your QRadar Console, log in to your QRadar Network Packet Capture appliance as root on port 4477.
    2. Verify that the QRadar Network Packet Capture appliance is receiving packets by typing the following command:

      watch -d cat /var/www/html/statisdata/int0.txt

      The int0.txt file updates as data flows into your QRadar Network Packet Capture appliance.

    For more information about packet capture, see the QRadar Network Packet Capture documentation.