This KB article is created to explain the procedure of installing tcpdump tool to collect packet captures to investigate connectivity issues between Carbon Black Cloud Sensor Gateway (CBC SGW) and sensors, connectivity to cloud or other devices in the network.
SGW 1.2+
The CBC SGW is a Photon based Operating system, which comes without tcpdump tool installed due to security related compliance reasons.
In this procedure, there will be a need to enable certain repositories and backup some packages and then install them manually to install tcpdump successfully.
The process of backing up the packages manually will not impact the normal operations of SGW software.
Steps to install tcpdump:
root@photon-machine [ /etc/yum.repos.d ]# tdnf repolist
root@photon-machine [ /etc/yum.repos.d ]# sudo sed -i '/^\[photon-release\]/,/^$/s/enabled=0/enabled=1/' /etc/yum.repos.d/*.repo
root@photon-machine [ /etc/yum.repos.d ]# tdnf repolist
repo id repo name status
photon-release VMware Photon Linux 4.0 (x86_64) enabled
root@photon-machine [ /etc/yum.repos.d ]# tdnf makecache
Refreshing metadata for: 'VMware Photon Linux 4.0 (x86_64)'
^[[AMetadata cache created. 342894 100%
root@photon-machine [ /etc/yum.repos.d ]# tdnf install tar
Installing:
tar x86_64 1.32-1.ph4 photon-release 4.87M 5107894
Total installed size: 4.87M 5107894
Is this ok [y/N]: y
Downloading:
tar 917309 100%
Testing transaction
Running transaction
Installing/Updating: tar-1.32-1.ph4.x86_64
Complete!
root@photon-machine [ /etc/yum.repos.d ]#
root@photon-machine [ /tmp ]# tar -cvzf ansible_dependencies-1.2.1.0-24042317.tar.gz $(rpm -ql ansible_dependencies-1.2.1.0-24042317.noarch)
tar: Removing leading `/' from member names
/ansible-deps/ansible-posix-1.3.0.tar.gz
tar: Removing leading `/' from hard link targets
/ansible-deps/community-general-3.8.0.tar.gz
root@photon-machine [ /etc/yum.repos.d ]# tar -cvzf photon_vasecurity-1.2.1.0-24042317.tar.gz $(rpm -ql photon_vasecurity-1.2.1.0-24042317.noarch)
tar: Removing leading `/' from member names
/vasecurity/
/vasecurity/postinstall
tar: Removing leading `/' from hard link targets
/vasecurity/vahardening/
/vasecurity/vahardening/GEN0
root@photon-machine [ /tmp ]# ls -alth
total 2.4M
drwxrwxrwt. 21 root root 460 Nov 6 08:33 .
-rw-------. 1 root root 2.3M Nov 6 08:31 ansible_dependencies-1.2.1.0-24042317.tar.gz
-rw-------. 1 root root 42K Nov 6 08:30 photon_vasecurity-1.2.1.0-24042317.tar.gz
root@photon-machine [ /tmp ]# tdnf remove ansible_dependencies-1.2.1.0-24042317.noarch -y
Removing:
ansible_dependencies noarch 1.2.1.0-24042317 @System 2.26M 2374821
Total installed size: 2.26M 2374821
Testing transaction
Running transaction
Removing: ansible_dependencies-1.2.1.0-24042317.noarch
Complete!
root@photon-machine [ /tmp ]# tdnf remove photon_vasecurity-1.2.1.0-24042317.noarch -y
Removing:
photon_vasecurity noarch 1.2.1.0-24042317 @System 108.98k 111597
Total installed size: 108.98k 111597
Testing transaction
Running transaction
Removing: photon_vasecurity-1.2.1.0-24042317.noarch
Complete!
Enable photon-updates repo and install tcpdump
root@photon-machine [ /tmp ]# sudo sed -i '/^\[photon-updates\]/,/^$/s/enabled=0/enabled=1/' /etc/yum.repos.d/*.repo
root@photon-machine [ /tmp ]# tdnf repolist
repo id repo name status
photon-updates VMware Photon Linux 4.0 (x86_64) Updatesenabled
photon-release VMware Photon Linux 4.0 (x86_64) enabled
root@photon-machine [ /tmp ]# tdnf makecache
Refreshing metadata for: 'VMware Photon Linux 4.0 (x86_64) Updates'
Refreshing metadata for: 'VMware Photon Linux 4.0 (x86_64)'
Metadata cache created. 3003 100%
root@photon-machine [ /tmp ]# tdnf install tcpdump -y
Installing:
tcpdump x86_64 4.99.4-2.ph4 photon-updates 2.46M 2580118
Total installed size: 2.46M 2580118
Downloading:
tcpdump 476051 100%
Testing transaction
Running transaction
Installing/Updating: tcpdump-4.99.4-2.ph4.x86_64
Complete!
root@photon-machine [ /tmp ]# tcpdump -Vtcpdump: option requires an argument -- 'V'
tcpdump version 4.99.4
libpcap version 1.10.0 (with TPACKET_V3)
OpenSSL 3.0.13 30 Jan 2024
Usage: tcpdump [-AbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ] [--count]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ --immediate-mode ] [ -j tstamptype ]
[ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]
[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]
[ --time-stamp-precision precision ] [ --micro ] [ --nano ]
[ -z postrotate-command ] [ -Z user ] [ expression ]
Install back the removed packages in step 3
root@photon-machine[ /tmp ]# tar -xvzf ansible_dependencies-1.2.1.0-24042317.tar.gz -C /
ansible-deps/ansible-posix-1.3.0.tar.gz
ansible-deps/community-general-3.8.0.tar.gz
root@photon-machine[ /tmp ]# tar -xvzf photon_vasecurity-1.2.1.0-24042317.tar.gz -C /
vasecurity/
vasecurity/postinstall
...
root@photon-machine[ /home/admin ]# sed -i '/^\[photon-release\]/,/^$/s/enabled=1/enabled=0/' /etc/yum.repos.d/*.repo
root@photon-machine[ /home/admin ]# sed -i '/^\[photon-update\]/,/^$/s/enabled=1/enabled=0/' /etc/yum.repos.d/*.repo
Once the packet capture has been collected, please consider uninstalling tcpdump tool by executing below command
root@photon-machine [ /home/admin ]# tdnf remove tcpdump
Removing:
tcpdump x86_64 4.99.4-2.ph4 @System 2.46M 2580118
Total installed size: 2.46M 2580118
Is this ok [y/N]: y
Testing transaction
Running transaction
Removing: tcpdump-4.99.4-2.ph4.x86_64
Complete!
The removal of tcpdump tool is mandatory in step 7 to ensure that SGW is complaint with software security
standards set by Broadcom.
The method of removing packages in step 3 and then installing them in step 5 will restore the files to their original state, allowing the software to
function as it did before removal, but without official package management
tracking from tdnf.
The removal
of the packages in step 3 has no impact on SGW functionality.
The
reason of the removal of packages is a dependencies conflict while installing
tcpdump, this dependency conflict can be avoided by uninstalling the packages
as described in step 3 and reinstalling them again in step 5.
In
order for the software to get downloaded from vmware repositories, access has
to be allowed via the firewall on port 443 to url packages.vmware.com
All
steps provided have to be followed if tcpdump tool is being installed first time in
SGW, however, In subsequent installations of tcpdump tool, steps 4, 6, and 7
have to be executed only.