search cancel

API Gateway: Using tcpdump to debug network traffic on the Gateway

book

Article ID: 9563

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

This article discusses installing and using tcpdump on the API Gateway and how it can be used to troubleshoot network-related concerns from the API Gateway point of view.

At times, it is necessary to capture network traffic received by and sent from the Gateway appliance. The Gateway appliance does not come with the necessary packages to do this by default. This article describes the steps required to install the necessary RPMs and a basic command that can be used to generate a packet capture.

Environment

This article applies to API Gateway Appliance running version 10.0 and higher.

Resolution

The following steps should be followed for installing the tcpdump application if it does not already exist on the appliance.

  1. Download the compressed archive attached to this article to a workstation.
  2. Upload the contents of the compressed archive to the Gateway appliance via SFTP or SCP as the ssgconfig user.
  3. Log into the Gateway appliance as the ssgconfig user.
  4. Select Option #3: Use a privileged shell (root).
  5. Install the libpcap RPM: rpm -ivh /home/ssgconfig/libpcap-1.5.3-12.el7.x86_64.rpm
  6. Install the tcpdump RPM: rpm -ivh /home/ssgconfig/tcpdump-4.9.2-4.el7_7.1.x86_64.rpm
    • Note: The /home/ssgconfig/ path may need to be adjusted to reflect the actual path the files were uploaded to on the appliance.

Once tcpdump is installed, the following command is used to run the tcpdump application: tcpdump -s 0 -i any -w /home/ssgconfig/<case#>.cap

  • The -s option specifies where the packet capture will start. This should always be "0."
  • The -w option specifies where the packet capture will be written to on the file system.
  • The -i option specifies an interface to perform a capture against. Valid options would be (but are not limited to): eth0, eth1, eth2, lo, or any
  •  The tcpdump application supports a wide array of options that are documented in the application's documentation or its formal manual page on the Gateway appliance. A cross-platform application exists to interpret and display packet captures in a human-readable format. Wireshark can be used to view the output from tcpdump.
  •  

Additional Information

If required for security policies, the RPMs should be uninstalled after the data has been captured and analyzed. Otherwise, it can be useful to leave them installed as it can save a lot of time in the future when it may be necessary again to capture network traffic.

The RPMs can be removed using the command: rpm -e <package-name>

Attachments

1663238559450__TCPDump.zip get_app