Hello Seniors, Good Day!

I am looking for details of P-CAP vs K-TAP collection mechanism. As during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, P-CAP is installed as the default collection mechanism.

So, Can (P-CAP) collect the traffic from the server where we do not have any compatible K-TAP module. Is there any limitation of P-CAP on RHEL 8.8..

FYI - New kernel is 4.18.0-477.13.1.el8_8. Thanks Much! 

Hey Akash,

PCAP won't help you with the shared memory traffic capture like ktap does.

====
PCAPPCAP is a packet-capturing mechanism that listens to network traffic from and to a database server. In a UNIX environment, since the K-TAP captures all network traffic, PCAP is rarely used. PCAP is used to capture local TCP/IP traffic on the device.

The PCAP uses the client IP/mask values for all local inspection engines to determine what to monitor and report. A PCAP that is installed with an S-TAP with multiple inspection engines that have different client IP/mask values, captures traffic from all clients that are defined in all inspection engines. The PCAP might be processing and sending more information to the Guardium system than you intend.
====

Doc Reference- https://www.ibm.com/docs/en/guardium/11.5?topic=functionality-linux-unix-s-tap-monitoring-mechanisms

Hello Seniors, Good Day!

I am looking for details of P-CAP vs K-TAP collection mechanism. As during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, P-CAP is installed as the default collection mechanism.

So, Can (P-CAP) collect the traffic from the server where we do not have any compatible K-TAP module. Is there any limitation of P-CAP on RHEL 8.8..

FYI - New kernel is 4.18.0-477.13.1.el8_8. Thanks Much! 

Thank you Sachin for the clarification. So, PCAP will be default and only one monitoring mechanism for windows platform is that correct...?

Hey Akash,

PCAP won't help you with the shared memory traffic capture like ktap does.

====
PCAPPCAP is a packet-capturing mechanism that listens to network traffic from and to a database server. In a UNIX environment, since the K-TAP captures all network traffic, PCAP is rarely used. PCAP is used to capture local TCP/IP traffic on the device.

The PCAP uses the client IP/mask values for all local inspection engines to determine what to monitor and report. A PCAP that is installed with an S-TAP with multiple inspection engines that have different client IP/mask values, captures traffic from all clients that are defined in all inspection engines. The PCAP might be processing and sending more information to the Guardium system than you intend.
====

Doc Reference- https://www.ibm.com/docs/en/guardium/11.5?topic=functionality-linux-unix-s-tap-monitoring-mechanisms

Hello Seniors, Good Day!

I am looking for details of P-CAP vs K-TAP collection mechanism. As during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, P-CAP is installed as the default collection mechanism.

So, Can (P-CAP) collect the traffic from the server where we do not have any compatible K-TAP module. Is there any limitation of P-CAP on RHEL 8.8..

FYI - New kernel is 4.18.0-477.13.1.el8_8. Thanks Much! 

No Akash,
Windows & Unix operating systems are very different hence some parameters in guard_tap.ini won't be necessarily applicable to both OS staps.
Coming over to the actual question- WINSTAP does not utilize pcap parameters in the guard_tap.ini and is a completely different and relies on libraries and drivers from Windows OS.

Thank you Sachin for the clarification. So, PCAP will be default and only one monitoring mechanism for windows platform is that correct...?

Hey Akash,

PCAP won't help you with the shared memory traffic capture like ktap does.

====
PCAPPCAP is a packet-capturing mechanism that listens to network traffic from and to a database server. In a UNIX environment, since the K-TAP captures all network traffic, PCAP is rarely used. PCAP is used to capture local TCP/IP traffic on the device.

The PCAP uses the client IP/mask values for all local inspection engines to determine what to monitor and report. A PCAP that is installed with an S-TAP with multiple inspection engines that have different client IP/mask values, captures traffic from all clients that are defined in all inspection engines. The PCAP might be processing and sending more information to the Guardium system than you intend.
====

Doc Reference- https://www.ibm.com/docs/en/guardium/11.5?topic=functionality-linux-unix-s-tap-monitoring-mechanisms

Hello Seniors, Good Day!

I am looking for details of P-CAP vs K-TAP collection mechanism. As during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, P-CAP is installed as the default collection mechanism.

So, Can (P-CAP) collect the traffic from the server where we do not have any compatible K-TAP module. Is there any limitation of P-CAP on RHEL 8.8..

FYI - New kernel is 4.18.0-477.13.1.el8_8. Thanks Much! 

Hello Seniors, Good Day!

I am looking for details of P-CAP vs K-TAP collection mechanism. As during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, P-CAP is installed as the default collection mechanism.

So, Can (P-CAP) collect the traffic from the server where we do not have any compatible K-TAP module. Is there any limitation of P-CAP on RHEL 8.8..

FYI - New kernel is 4.18.0-477.13.1.el8_8. Thanks Much! 

Hi Akash,
What version of Guardium you are on?

Because, I can see 4.18.0-477.13.1.el8_8.x86_64 is supported by Guardium v11.4. There is an exact match for the Kernel. Did you try the latest v11.4 STAP? 

Hello Seniors, Good Day!

I am looking for details of P-CAP vs K-TAP collection mechanism. As during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, P-CAP is installed as the default collection mechanism.

So, Can (P-CAP) collect the traffic from the server where we do not have any compatible K-TAP module. Is there any limitation of P-CAP on RHEL 8.8..

FYI - New kernel is 4.18.0-477.13.1.el8_8. Thanks Much! 

Hi Sachin/GIRISH,

I have 11.3 collector and installed v11.3.4 S-TAP on RHEL8.8 where K-TAP failed to find a compatibility with Kernel.

can i upgrade this agent to 11.4 without upgrading collector? will a failed K-TAP become an issue?

Please suggest!

Thanks!

Hi Akash,
What version of Guardium you are on?

Because, I can see 4.18.0-477.13.1.el8_8.x86_64 is supported by Guardium v11.4. There is an exact match for the Kernel. Did you try the latest v11.4 STAP? 

Hello Seniors, Good Day!

I am looking for details of P-CAP vs K-TAP collection mechanism. As during the installation process, K-TAP fails to load properly, possibly caused by hardware or software incompatibility, P-CAP is installed as the default collection mechanism.

So, Can (P-CAP) collect the traffic from the server where we do not have any compatible K-TAP module. Is there any limitation of P-CAP on RHEL 8.8..

FYI - New kernel is 4.18.0-477.13.1.el8_8. Thanks Much!