IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Issue after QRadar 7.5.0UP6 upgrade | tcpdump - illegal instruction (core dumped)

    Posted Sat July 08, 2023 04:30 AM

    Hi community,

    does anyone else hit this issue regarding to tcpdump commands? It doesn't matter which tcpdump command i'll use...

    Regards,

    Ralph



    ------------------------------
    Ralph Belfiore
    SIEM Expert
    pro4bizz GmbH
    Karlsruhe
    +4972190981727
    ------------------------------


  • 2.  RE: Issue after QRadar 7.5.0UP6 upgrade | tcpdump - illegal instruction (core dumped)

    Posted Mon July 10, 2023 04:15 AM
    Edited by Prabir Meher Mon July 10, 2023 04:45 AM

    It seems there is a change in the libpcap library because of which this might be happening.  This needs to be reported.  Have you opened up a support case?



    ------------------------------
    Prabir Meher
    ------------------------------

    Original Message


  • 3.  RE: Issue after QRadar 7.5.0UP6 upgrade | tcpdump - illegal instruction (core dumped)

    Posted Mon July 10, 2023 05:11 AM

    Hi Prabir,

    yes, a support case exists..

    Regards,

    Ralph



    ------------------------------
    Ralph Belfiore
    SIEM Expert
    pro4bizz GmbH
    Karlsruhe
    +4972190981727
    ------------------------------

    Original Message


  • 4.  RE: Issue after QRadar 7.5.0UP6 upgrade | tcpdump - illegal instruction (core dumped)

    Posted Mon July 10, 2023 10:07 AM

    Hello Ralph,

    On my side, on 3 VMs labs machine upgraded from 7.5.0.5 to 7.5.0.6 (I did not apply the Interim Fix 1)

    • On the Console : OK
    • On AppHost : OK
    • On QNI Host : OK

    Using tcpdump -D for showing interface.

    Is FIPS enabled on your machine ?

    I got another problem on install related to disk space with the 7.5.0.6 upgrade during the check part (Confusion on the installer with Kb and KB).

    Regards,

    Zoldax



    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------

    Original Message


  • 5.  RE: Issue after QRadar 7.5.0UP6 upgrade | tcpdump - illegal instruction (core dumped)

    Posted Tue July 11, 2023 02:42 AM

    The issue with libpcap relates to the presence or absence of the AVX2 capability Intel first introduced in their CPUs 10 years ago. There are presently issues when running on CPUs without this feature. 



    ------------------------------
    Dale Bowie
    QRadar NDR Architect
    IBM
    ------------------------------

    Original Message


  • 6.  RE: Issue after QRadar 7.5.0UP6 upgrade | tcpdump - illegal instruction (core dumped)

    Posted Tue July 11, 2023 10:00 AM

    Hi Dale,

    thanks for this details.

    How would you rate that? How long will it take for a fix to be available?

    Regards,

    Ralph



    ------------------------------
    Ralph Belfiore
    SIEM Expert
    pro4bizz GmbH
    Karlsruhe
    +4972190981727
    ------------------------------

    Original Message


  • 7.  RE: Issue after QRadar 7.5.0UP6 upgrade | tcpdump - illegal instruction (core dumped)

    Posted Wed July 12, 2023 07:34 PM

    Hi Ralph, 

    I know you've been in contact with support, but I just want to circle back around here for the visibility of others.

    A fix for this will be included within UP7. For anyone that is affected by this, please reach out to support who can provide an early copy of an RPM that can be applied to UP6 and address the problem. 



    ------------------------------
    Dale Bowie
    QRadar NDR Architect
    IBM
    ------------------------------

    Original Message


Related Content