Due to the extra resources required by the additional logging, it is recommended to follow these steps during non-business hours or when activity is not high, and also only for the period of time necessary to reproduce the issue.
- Log on to the on-premise scanner either directly or via SSH as root.
- Edit the configuration file /etc/iscan/intscan.ini as described in the KB article: Editing configuration files of Linux-based products then do the following to modify the parameter:
-
Find the parameter "verbose" in the [http] section.
This parameter appears in other sections as well, so it is important to find the right one. - Change the value of the parameter from "0" to "1" so the line looks like this: verbose=1
- Exit and save.
-
- Reload the configuration with the following command:
/etc/iscan/S99ISproxy reload
- Start a packet capture with the following command:
tcpdump -i any -s0 -w /var/tmp/tcpdump.pcap -W 5 -C 200
- "-i any" enables tcpdump to listen to any interface.
- "-s0" tells tcpdump to collect the entire packet content.
- "-W 5" tells tcpdump to store up to 5 rollover files (tcpdump.pcap0, tcpdump.pcap1 … tcpdump.pcap5, at which point it starts over).
- "-C 200" tells tcpdump to store up to 200 MB of packet data per file.
- Reproduce the issue.
- Stop the packet capture with CTRL+C.
- Stop HTTP verbose logging by:
- Changing the value of the parameter "verbose" in the [http] section of the file /etc/iscan/intscan.ini back to "0".
- Reloading the configuration afterwards (as in step 3).
- Collect the following information:
- URL and/or name of file accessed during reproduction
- Screenshots of what happens when the issue is reproduced
- All files in the folder /var/tmp/ starting with "tcpdump.pcap" using an SCP client such as WinSCP or an FTP client such as FileZilla in SFTP mode
- Open the web console for the on-premise scanner, go to System > Diagnostics, generate a diagnostics file and download it.