How to install tcpdump to collect packet capture in CBC Sensor Gateway
search cancel

How to install tcpdump to collect packet capture in CBC Sensor Gateway

book

Article ID: 381393

calendar_today

Updated On: 11-07-2024

Products

Carbon Black Cloud Endpoint Standard

Issue/Introduction

This KB article is created to explain the procedure of installing tcpdump tool to collect packet captures to investigate connectivity issues between Carbon Black Cloud Sensor Gateway (CBC SGW) and sensors, connectivity to cloud or other devices in the network.

Environment

SGW 1.2+

Resolution

The CBC SGW is a Photon based Operating system, which comes without tcpdump tool installed due to security related compliance reasons. 

In this procedure, there will be a need to enable certain repositories and backup some packages and then install them manually to install tcpdump successfully.

The process of backing up the packages manually will not impact the normal operations of SGW software.

Steps to install tcpdump:

  1. Escalate to root using su command and enable photon-release repo to download and install tar package
    root@photon-machine [ /etc/yum.repos.d ]# tdnf repolist
    root@photon-machine [ /etc/yum.repos.d ]# sudo sed -i '/^\[photon-release\]/,/^$/s/enabled=0/enabled=1/' /etc/yum.repos.d/*.repo
    root@photon-machine [ /etc/yum.repos.d ]# tdnf repolist
    repo id             repo name                               status
    photon-release      VMware Photon Linux 4.0 (x86_64)        enabled
    root@photon-machine [ /etc/yum.repos.d ]# tdnf makecache
    Refreshing metadata for: 'VMware Photon Linux 4.0 (x86_64)'
    ^[[AMetadata cache created.             342894 100%
    root@photon-machine [ /etc/yum.repos.d ]# tdnf install tar
    Installing:
    tar                                                                               x86_64                                   1.32-1.ph4                                             photon-release                                         4.87M 5107894
    Total installed size:   4.87M 5107894
    Is this ok [y/N]: y
    Downloading:
    tar                                     917309 100%
    Testing transaction
    Running transaction
    Installing/Updating: tar-1.32-1.ph4.x86_64
    Complete!
    root@photon-machine [ /etc/yum.repos.d ]#
  2. Go to /tmp/ directory and run below commands to backup both packages ansible_dependencies-1.2.1.0-24042317.noarch and photon_vasecurity-1.2.1.0-24042317.noarch 
    root@photon-machine [ /tmp ]# tar -cvzf ansible_dependencies-1.2.1.0-24042317.tar.gz $(rpm -ql ansible_dependencies-1.2.1.0-24042317.noarch)
    tar: Removing leading `/' from member names
    /ansible-deps/ansible-posix-1.3.0.tar.gz
    tar: Removing leading `/' from hard link targets
    /ansible-deps/community-general-3.8.0.tar.gz
    root@photon-machine [ /etc/yum.repos.d ]# tar -cvzf photon_vasecurity-1.2.1.0-24042317.tar.gz $(rpm -ql photon_vasecurity-1.2.1.0-24042317.noarch)
    tar: Removing leading `/' from member names
    /vasecurity/
    /vasecurity/postinstall
    tar: Removing leading `/' from hard link targets
    /vasecurity/vahardening/
    /vasecurity/vahardening/GEN0
    root@photon-machine [ /tmp ]# ls -alth
    total 2.4M
    drwxrwxrwt. 21 root root  460 Nov  6 08:33 .
    -rw-------.  1 root root 2.3M Nov  6 08:31 ansible_dependencies-1.2.1.0-24042317.tar.gz
    -rw-------.  1 root root  42K Nov  6 08:30 photon_vasecurity-1.2.1.0-24042317.tar.gz
  3. Remove both packages
    root@photon-machine [ /tmp ]# tdnf remove ansible_dependencies-1.2.1.0-24042317.noarch -y
    Removing:
    ansible_dependencies                                                              noarch                                   1.2.1.0-24042317                                       @System                                                2.26M 2374821
    Total installed size:   2.26M 2374821
    Testing transaction
    Running transaction
    Removing: ansible_dependencies-1.2.1.0-24042317.noarch
    Complete!
    root@photon-machine [ /tmp ]# tdnf remove photon_vasecurity-1.2.1.0-24042317.noarch -y
    Removing:
    photon_vasecurity                                                                 noarch                                   1.2.1.0-24042317                                       @System                                               108.98k 111597
    Total installed size: 108.98k 111597
    Testing transaction
    Running transaction
    Removing: photon_vasecurity-1.2.1.0-24042317.noarch
    Complete!
  4. Enable photon-updates repo and install tcpdump

    root@photon-machine [ /tmp ]# sudo sed -i '/^\[photon-updates\]/,/^$/s/enabled=0/enabled=1/' /etc/yum.repos.d/*.repo
    root@photon-machine [ /tmp ]# tdnf repolist
    repo id             repo name                               status
    photon-updates      VMware Photon Linux 4.0 (x86_64) Updatesenabled
    photon-release      VMware Photon Linux 4.0 (x86_64)        enabled
    root@photon-machine [ /tmp ]# tdnf makecache
    Refreshing metadata for: 'VMware Photon Linux 4.0 (x86_64) Updates'
    Refreshing metadata for: 'VMware Photon Linux 4.0 (x86_64)'
    Metadata cache created.                   3003 100%
    root@photon-machine [ /tmp ]# tdnf install tcpdump -y
    Installing:
    tcpdump                                                                           x86_64                                   4.99.4-2.ph4                                           photon-updates                                         2.46M 2580118
    Total installed size:   2.46M 2580118
    Downloading:
    tcpdump                                 476051 100%
    Testing transaction
    Running transaction
    Installing/Updating: tcpdump-4.99.4-2.ph4.x86_64
    Complete!
    root@photon-machine [ /tmp ]# tcpdump -V

    tcpdump: option requires an argument -- 'V'
    tcpdump version 4.99.4
    libpcap version 1.10.0 (with TPACKET_V3)
    OpenSSL 3.0.13 30 Jan 2024
    Usage: tcpdump [-AbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ] [--count]
                   [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                   [ -i interface ] [ --immediate-mode ] [ -j tstamptype ]
                   [ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ]
                   [ -r file ] [ -s snaplen ] [ -T type ] [ --version ]
                   [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]
                   [ --time-stamp-precision precision ] [ --micro ] [ --nano ]
                    [ -z postrotate-command ] [ -Z user ] [ expression ]
  5. Install back the removed packages in step 3

    root@photon-machine[ /tmp ]# tar -xvzf ansible_dependencies-1.2.1.0-24042317.tar.gz -C /

    ansible-deps/ansible-posix-1.3.0.tar.gz

    ansible-deps/community-general-3.8.0.tar.gz

    root@photon-machine[ /tmp ]# tar -xvzf photon_vasecurity-1.2.1.0-24042317.tar.gz -C /

    vasecurity/

    vasecurity/postinstall

    ...
  6. Disable the enabled previously repos
    root@photon-machine[ /home/admin ]# sed -i '/^\[photon-release\]/,/^$/s/enabled=1/enabled=0/' /etc/yum.repos.d/*.repo

    root@photon-machine[ /home/admin ]# sed -i '/^\[photon-update\]/,/^$/s/enabled=1/enabled=0/' /etc/yum.repos.d/*.repo
  7. Once the packet capture has been collected, please consider uninstalling tcpdump tool by executing below command

    root@photon-machine [ /home/admin ]# tdnf remove tcpdump
    Removing:
    tcpdump                                                                           x86_64                                   4.99.4-2.ph4                                           @System                                                2.46M 2580118
    Total installed size:   2.46M 2580118
    Is this ok [y/N]: y
    Testing transaction
    Running transaction
    Removing: tcpdump-4.99.4-2.ph4.x86_64
    Complete!

Additional Information

  • The removal of tcpdump tool is mandatory in step 7 to ensure that SGW is complaint with software security standards set by Broadcom.
  • The method of removing packages in step 3 and then installing them in step 5 will restore the files to their original state, allowing the software to function as it did before removal, but without official package management tracking from tdnf.
  • The removal of the packages in step 3 has no impact on SGW functionality.
  • The reason of the removal of packages is a dependencies conflict while installing tcpdump, this dependency conflict can be avoided by uninstalling the packages as described in step 3 and reinstalling them again in step 5.
  • In order for the software to get downloaded from vmware repositories, access has to be allowed via the firewall on port 443 to url packages.vmware.com
  • All steps provided have to be followed if tcpdump tool is being installed first time in SGW, however, In subsequent installations of tcpdump tool, steps 4, 6, and 7 have to be executed only.