Passive Capture from Tealeaf captures and records the complete interaction between web application visitors and the web application environment by using a network tap or network switch spanning port.
The Passive Capture software features the following benefits:
- Introduces zero overhead, page latency, or CPU utilization to the web server
- Introduces zero risk of failure to the web application - monitored/captured traffic is not part of the active traffic
- Supports any web application environment: homogenous or mixed, packaged, or custom
- Supports encrypted (HTTPS) and non-encrypted (HTTP) traffic
- Supports deployment into the Amazon Web Services (AWS) cloud-based environment
- Reconstructs the HTTP traffic of the user experience for downstream processing of user sessions and events
To capture requests and responses of your website's traffic, the Tealeaf CX Passive Capture Application requires high-quality data source that is provided over a reliable network.
3rd party software
The CX Passive Capture Application software installation packages include the following third-party packages:
- Apache HTTPD 2.2.19
- Expat 1.2
- LibNet 1.1.1
- LibPCAP 1.1.1
- OpenSSL 1.0.0d
- PHP 5.2.9
- TCL 8.4.x
- Tcpdump 4.1.1
- Tcpslice 2004.05.10
Some of these packages are directly used by the Tealeaf software and some are provided as tools for managing the system.
Security and administration
The CX Passive Capture Application software is highly controlled and secured. It is bound to the capture host workstation and can operate without a public interface. All administration functions can be conducted by a Secure Shell (SSH) client program.
Administer and manage your CX Passive Capture Application using the secured web console interface.
SSL Support
The CX Passive Capture Application software provides full support for SSL (HTTPS) transactions.
Note: To support SSL, a copy of the SSL private key(s) must be provided to the CX Passive Capture Application software. If there are multiple SSL Certificates, a copy of each private key is required. This enables the CX Passive Capture Application software to decrypt SSL traffic for HTTP hit content processing.
Integration with HSMs
In some environments, security restrictions at the operating system level are insufficient for management of encrypted private keys. In these environments, Tealeaf supports integrations with Hardware Security Modules.
IA® Hardware Security Module (HSM) provides both logical and physical protection of sensitive SSL private keys from non-authorized use and potential adversaries.
While the implementation of importing/exporting SSL private keys to the Tealeaf CX Passive Capture Application server with the HSM varies from environment to environment, the design goal of these transfers is an automated process whereby the private keys are securely on the HSM. HSM vendors provide solutions that address the requirements of this transfer process, usually including several supported methods for installing keys on the HSMs. There are typically implementation-specific aspects to designing the automated installation process.
In an HSM environment, the keys that are used by the Tealeaf run-time inherit the protective measures that are offered by the HSM. The key file is stored on the HSM and retains an additional layer of access control to prevent its movement.
Note: Without an HSM, SSL private key are converted to an encrypted .ptl file format and stored in an operating system directory in a form that is usable on the same workstation only; the key is hashed in a machine-specific way.
Diffie-Hellman Cipher
Diffie-Hellman is a type of SSL encryption cipher. It is designed so that third parties, which are systems other than the two parties at the two endpoints of a conversation, cannot decrypt the communications traffic. A user session that was established with a web server by using this cipher cannot be captured by using the Tealeaf CX Passive Capture Application.
Note: Tealeaf does not support the use of the Diffie-Hellman cryptographic protocol and recommends configuring your web servers to not use it.
TLS SessionTicket Extension
This SSL protocol extension is used by some web servers to transmit encrypted traffic to the browsers that support it. In the OpenSSL modules of the latest Apache web servers and possibly other web servers, the new SSL TLS protocol extension (RFC-5077) for stateless session resumption, which is known as SessionTicket extension, encrypts the SSL state information, which is used only if both the client browser and the web server comply with the standard.
Note: Tealeaf CX Passive Capture Application supports the SSL Session Ticket extension in recent builds. If you enable this extension on your web server, verify that you installed or upgraded to build TLSv1.x in
Build 3327
or later.
CX PCA Network Capture Traffic Requirements
The following requirements are needed for mirroring network traffic and forwarding it to the CX PCA for capture.
Network devices such as switch span ports, network taps, and load balancers are just a few of the network traffic capture points that can provide a copy of live network traffic to the Tealeaf CX Passive Capture Application. Typically, the mirrored traffic consists of the website's web server traffic.
Mirrored network traffic is considered passive in nature, as the capture NIC(s) that are used by the CX PCA do not interact with the live network traffic.
Note: The CX Passive Capture Application supports the capture of 128-bit SSL traffic. Encryption methods by using a fewer numbers of encryption bits are not supported.
Basic traffic requirements
For proper operation, the CX PCA requires that the mirrored network traffic is of high integrity and quality.
Any loss of critical network TCP packets can prevent the CX PCA from reassembling the TCP traffic into HTTP hits. Lost TCP packets can result in sessions with missing pages, partial pages, or both. In a worst-case scenario, the entire session can be unusable.
Confirm the following basic requirements with your network administrator:
- Traffic stream: The CX PCA requires bidirectional traffic stream or two unidirectional traffic streams containing all HTTP requests and responses traffic between your web application and the visitor browsers that are interacting with it.
- No errors or dropped packets: No errors, dropped packets, or overrun packets at operating system network interface card and network level.
- An
ifconfig ethX
command on the capture NIC must display a constant number of dropped packets or errors. - If the number is increasing at a high rate, there can be problems with the fidelity of the traffic sent to the PCA. There can be inadequate sizing of your PCA hardware for your traffic volume, or both.
- An
- Real visitor IPs: The capture point can see the real visitor IPs or host address of visitor's IP.
Access to the real IP address of your visitors is a valuable resource for troubleshooting purposes. For customers who use load balancers, this requirement cannot be possible.
- Filtered traffic: Spanned traffic is filtered down to the essential traffic only.
Filter out as much unnecessary traffic as possible at the network level before it is delivered to the PCA. This filtering offloads processing resources that the PCA must use to filter out traffic.
- TCP persistent connections issues:
To capture traffic, the PCA must see the start of all TCP connections.
TCP connections
The Tealeaf CX Passive Capture Application requires you to monitor the start of all TCP connections. If TCP persistent connections are enabled, then the PCA is able to reassemble hits from in-progress connections.
Check with your IT team to see whether TCP persistent connections is enabled in the IT infrastructure. Individual TCP persistent connections can be used by multiple visitors to your web application. It can also be deployed by a load balancer such as an F5 network device, a front-end proxy such as an Akamai server, or the web server itself.
For SSL sessions, pooling SSL transactions is considered an optimization. However, SSL pooling transactions to a set of TCP persistent connections can cause issues, which prevent these sessions from being decrypted. If a new SSL session is not seen to allow the PCA to cache the SSL session ID information, then any subsequent SSL sessions that reuse the session ID cannot be decrypted.
In such an environment, connections can persist up to 24 hours, which introduces a latency in the capture of sessions when the PCA is installed, upgraded, or rebooted. There can be possible workarounds or compromise configuration settings on the source network devices which can mitigate the latency period.
Duplicate data
Each instance of the CX Passive Capture Application must feed data that is unique within Tealeaf.
Note: Duplicated data must not be intentionally passed to Tealeaf. While CX PCA is designed to filter out duplicated data, unnecessary duplicate packets in a high-volume environment can impede processing. Tealeaf supports passive failover across multiple instances of the CX Passive Capture Application.