Forwarding packets to QRadar
Network Packet Capture
You can monitor network traffic by sending raw data packets to a IBM
QRadar Flow Collector 1310 appliance.
The QRadar Flow Collector
uses a dedicated Napatech monitoring card to copy incoming packets from one port on the card to a
second port that connects to a QRadar
Network Packet Capture appliance.
If you already have a QRadar Flow Collector 1310
with a 10G Napatech network card, you
can mirror the traffic to QRadar
Network Packet Capture.
As shown in the following diagram, if you already have a QRadar Flow Collector 1310
with a 10G Napatech network card, you can mirror the traffic to QRadar
Network Packet Capture.
Before you begin
Ensure that the following hardware is set up in your environment:
You attached the cable to port 1 of the Napatech card on the QRadar Flow Collector 1310
appliance.
You attached the cable that is connected to port 2 of the Napatech card, which is the forwarding
port, to the QRadar
Network Packet Capture
appliance.
Verify layer 2 connectivity by checking for link lights on both appliances.
Procedure
Using SSH from your IBM
QRadar Console, log in to QRadar Flow Collector as the
root user. On the QRadar Flow Collector
appliance, edit the following file.
/opt/qradar/init/apply_tunings
Locate the following line, which is around line 137.
apply_multithread_qflow_changes()
{
APPLIANCEID=`$NVABIN/myver -a`
if [ "$APPLIANCEID" == "1310" ]; then
MODELNUM=$(/opt/napatech/bin/AdapterInfo 2>&1 | grep "Active FPGA Image" | cut -d'-' -f2)
if [ "$MODELNUM" == "9220" ]; then..
In the AppendToConf lines that follow the code in the preceding step, add
these lines: