This article applies to API Gateway Appliance running version 10.x

The following steps should be followed for installing the tcpdump application if it does not already exist on the appliance.

1. Download the compressed archive attached to this article to a workstation.
2. Upload the contents of the compressed archive to the Gateway appliance via SFTP or SCP as the ssgconfig user.
3. Log into the Gateway appliance as the ssgconfig user.
4. Select Option #3: Use a privileged shell (root).
5. Install the libpcap RPM: rpm -ivh /home/ssgconfig/libpcap-1.5.3-12.el7.x86_64.rpm
6. Install the tcpdump RPM: rpm -ivh /home/ssgconfig/tcpdump-4.9.2-4.el7_7.1.x86_64.rpm
   • Note: The /home/ssgconfig/ path may need to be adjusted to reflect the actual path the files were uploaded to on the appliance.

Once tcpdump is installed, the following command is used to run the tcpdump application: tcpdump -s 0 -i any -w /home/ssgconfig/<case#>.cap

• The -s option specifies where the packet capture will start. This should always be "0."
• The -w option specifies where the packet capture will be written to on the file system.
• The -i option specifies an interface to perform a capture against. Valid options would be (but are not limited to): eth0, eth1, eth2, lo, or any
•  The tcpdump application supports a wide array of options that are documented in the application's documentation or its formal manual page on the Gateway appliance. A cross-platform application exists to interpret and display packet captures in a human-readable format. Wireshark can be used to view the output from tcpdump.
•  

If required for security policies, the RPMs should be uninstalled after the data has been captured and analyzed. Otherwise, it can be useful to leave them installed as it can save a lot of time in the future when it may be necessary again to capture network traffic.

The RPMs can be removed using the command: rpm -e <package-name>