-- Napatech support for Symantec DLP 14.5: Driver and operating system versions supported: 4.26a (RHEL 6.5, 6.6, 6.7) 4.26a, 4.26c, 4.26g (Microsoft Windows Server 2008 R2 and 2012) --- General Information: The Napatech NT4E family of capture cards are supported by Symantech DLP version 14.5. Ensure that the SDRAM module included with the NT4E is properly installed in the card before installing it into the server. The card will not function without the SRDRAM burst buffer memory installed. By default, the DLP will create a single packet feed (stream) for each of the 4 gigbit ports on the NT4E. The DLP starts these packet feeds when envoked. When the DLP is shutdown, these feeds should also be shut down by the DLP application. If for whatever reason, the feeds do not shutdown properly, use the "killfeeds" tool to shut them down. If they still do not shut down properly, then a server reboot will be required. See below for instructions on how to use the killfeeds and other Napatech tools. --- Usefull tools: For Windows, tools are located under the "tools" folder in the Napatech driver package. For Linux, the tools are installed in /opt/napatech/bin Statistics: statistics is usefull for checking for network activity on the Napatech ports >statistics -interactive Diagnostics: the diagnostics tool can be run to check basic Napatech card functionality. Connect the ports together on the Napatech card, and run the diagnostics tool. It will send packets on all ports, and confirm that all were captured. --- Running Wireshark to do test captures before starting DLP: Windows: 1) Install the provided WinPcap library included with the Napatech software. The standard WinPcap will not work with the Napatech capture card. See DN-0206 2GD WinPCAP Installation Guide.pdf for more information. 2) Ensure that the DLP is not running 4) Check that there are no Napatech packet feeds running using the packetfeedstatus tool: > packetfeedstatus.exe -adapter 0 -feed 0 packetfeedstatus.exe (v. 1.8.A - 2013-09-20-09-08-55) ============================================================================== >>> Error: No feed 0 exist. 5) If packet feeds exist, you can use the killfeeds tool to stop them: >killfeeds.exe -adapter 0 killfeeds.exe (v. 1.8.A - 2013-09-20-09-08-55) ============================================================================== >>> Error: No feeds exist 4) Create some PCAP packet feeds that Wireshark can capture from using the provided ntpl_4feeds.ntpl file: >ntpltool -adapter 0 -file ntpl_4feeds.ntpl ntpltool (v. 1.8.A - 2013-09-20-09-08-55) ============================================================================== >>> Info: Line "DeleteFilter=All" executed successfully >>> Info: Line "SetupPacketFeedEngine[TimeStampFormat=PCAP;DescriptorType=PCAP;MaxLatency=1000;SegmentSize=1024;Numfeeds=4]" executed successfully >>> Info: Line "PacketFeedCreate[NumSegments=16;Feed=(0..3)]" executed successfully Returned FilterGroupID : 0x000A >>> Info: Line "Capture[Feed=0] = Channel==0" executed successfully Returned FilterGroupID : 0x000B >>> Info: Line "Capture[Feed=1] = Channel==1" executed successfully Returned FilterGroupID : 0x000C >>> Info: Line "Capture[Feed=2] = Channel==2" executed successfully Returned FilterGroupID : 0x000D >>> Info: Line "Capture[Feed=3] = Channel==3" executed successfully 5) Start Wireshark and attached to the desired pcap interface 6) Before starting DLP, you must stop the packet feeds that you previously created: >killfeeds -adapter 0 killfeeds.exe (v. 1.8.A - 2013-09-20-09-08-55) ============================================================================== Shut down 4 existing packet feeds Linux: 1) Install the provided libpcap library included with the Napatech software. The standard libpcap will not work with the Napatech capture card. See DN-0236 2GD LibPCAP Installation Guide.pdf for more information. 2) Ensure that the DLP is not running 4) Check that there are no Napatech packet feeds running using the packetfeedstatus tool: /opt/napatech/bin/PacketFeedStatus.exe -adapter 0 -feed 0 packetfeedstatus (v. 1.8.A - 2013-09-20-09-08-55) ============================================================================== >>> Error: No feed 0 exist. 5) If packet feeds exist, you can use the killfeeds tool to stop them: /opt/napatech/bin/KillFeeds -adapter 0 killfeeds (v. 1.8.A - 2013-09-20-09-08-55) ============================================================================== >>> Error: No feeds exist 4) Create some PCAP packet feeds that Wireshark can capture from using the provided ntpl_4feeds.ntpl file: /opt/napatech/bin/NtplTool -adapter 0 -file ntpl_4feeds.ntpl ntpltool (v. 1.8.A - 2013-09-20-09-08-55) ============================================================================== >>> Info: Line "DeleteFilter=All" executed successfully >>> Info: Line "SetupPacketFeedEngine[TimeStampFormat=PCAP;DescriptorType=PCAP;MaxLatency=1000;SegmentSize=1024;Numfeeds=4]" executed successfully >>> Info: Line "PacketFeedCreate[NumSegments=16;Feed=(0..3)]" executed successfully Returned FilterGroupID : 0x000A >>> Info: Line "Capture[Feed=0] = Channel==0" executed successfully Returned FilterGroupID : 0x000B >>> Info: Line "Capture[Feed=1] = Channel==1" executed successfully Returned FilterGroupID : 0x000C >>> Info: Line "Capture[Feed=2] = Channel==2" executed successfully Returned FilterGroupID : 0x000D >>> Info: Line "Capture[Feed=3] = Channel==3" executed successfully 5) Start Wireshark and attached to the desired pcap interface 6) Before starting DLP, you must stop the packet feeds that you previously created: /opt/napatech/bin/KillFeeds -adapter 0 killfeeds (v. 1.8.A - 2013-09-20-09-08-55) ============================================================================== Shut down 4 existing packet feeds