8 Using Host Monitor

Learn how to use Host Monitor.

8.1 About Host Monitoring

Learn about Host Monitoring.

Database Firewall can be used to monitor and analyze the SQL traffic to the database. Database Firewall can be configured in the following deployment modes:

  • Monitoring / Blocking (Proxy)
  • Monitoring (Out-of-Band)
  • Monitoring (Host Monitor)

Host Monitor can monitor SQL traffic of multiple databases running on a single Agent machine. Monitoring (Host Monitor) deployment mode requires a Host Monitor Agent to be deployed on the Agent machine. The Host Monitor Agent can be configured to capture traffic on ports that the database is listening.

This deployment mode provides the ability to monitor SQL traffic by the Host Monitor Agent that is deployed on the Agent machine and if there are multiple network paths from the clients to the Agent machine.

After the Host Monitor Agent is deployed and configured on the Agent machine, it performs the following actions:

  • Captures traffic on ports that the database is listening
  • Forwards the traffic securely to Database Firewall

8.2 Installing and Enabling Host Monitor

Learn about installing and enabling Host Monitor.

Host Monitor can monitor SQL traffic to databases on a database server. Installing and enabling Host Monitor involves:

  1. Deploying Host Monitor Agent on all the database servers where the database is running.
  2. Register the target.
  3. Creating a Database Firewall monitoring point in Monitoring (Host Monitor) mode.
  4. Configuring a NETWORK audit trail for the monitored target.

Note:

  • Host Monitor is supported on Linux, Solaris, AIX, and Windows platforms, and can monitor any database supported by the Database Firewall. See Table C-1 for supported databases.
  • Host Monitor Agent supports link type Solaris IPNET on Oracle Solaris SPARC64 and x86-64.
  • Host Monitor Agent supports Ethernet (EN10MB) link type for all supported platforms.
  • Host Monitor does not capture the traffic from Oracle Database's Bequeath connections.

8.2.1 Host Monitor Requirements

Learn about Host Monitor requirements.

Requirements for installing Host Monitor on Windows platform:

  1. Ensure Audit Vault Agent is running on the database server.
  2. Note and follow Npcap installation details:

    • For Oracle AVDF release 20.6 and later, Npcap is automatically installed along with the Agent installation. Installing Npcap removes any existing installation of Npcap or WinPcap from the Windows host machine.

    • For Oracle AVDF release 20.5, Npcap is automatically downloaded along with the Agent software (agent.jar) file. The Npcap installer file is available under Agent_Home\hm directory.

    • For Oracle AVDF release 20.4 and earlier, install Npcap that is available in the avdf20-utility.zip bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files. Ensure to install Npcap in WinPcap-API-compatible mode.

  3. Install the latest version of OpenSSL (1.1.1g or higher) libraries.
  4. Ensure the Windows target machine has the latest update of Visual C++ Redistributable for Visual Studio 2015 (MSVCRT.dll (*) or later) package from Microsoft installed.

Requirements for installing Host Monitor on Linux/Unix/AIX/Solaris platforms:

  1. Ensure Audit Vault Agent is running on the database server.
  2. Ensure the latest version of the following packages from the OS vendor for the specific OS version are installed on the database server:

    • Libcap (for Linux hosts only)
    • LibPcap
    • OpenSSL
  3. Ensure gmake is installed for AIX database servers. For other Unix database server types (Linux/Unix/Solaris), ensure make is installed. This is required for Host Monitor to run successfully.
  4. In case network firewall is present, allow communication on port range 2050 - 5200. This is required for communication in between the database server and the Database Firewall.
  5. Ensure the Input Output Completion Ports (IOCP) is set to available for IBM AIX on Power Systems (64-bit). It is set to defined by default.
  6. Check directory permissions. All the directories in the path of the Host Monitor install location should have 755 as the permission bits starting from the root directory. This is required as the Host Monitor has to be installed in a root owned location.
  7. Host Monitor has to be installed by the root user.

General requirement for installing Host Monitor: Open port range 2050 - 5200 on the Database Firewall machine for communication.

See Also:

Enabling and Using Host Monitoring for host monitoring instructions and prerequisites.

8.2.2 Validation During Host Monitor Agent Deployment

Learn about validations performed by Oracle AVDF when deploying the Host Monitor Agent.

Starting Oracle AVDF release 20.6, the following validations performed on the Linux/Unix/AIX/Solaris platforms when deploying the Host Monitor Agent. These requirements are mandatory and have to be complied without which the Host Monitor Agent installation cannot be completed.

  • The Host Monitor Agent is being installed as root user.
  • If Host Monitor process is already running on the host machine.
  • If the Input Output Completion Ports (IOCP) is set to available for IBM AIX on Power Systems (64-bit).
  • If gmake is installed for AIX database servers. For other Unix database server types (Linux/Unix/Solaris), check if make is installed.
  • If symlinks of libssl, libcrypto, libnsl libraries are present. In case of Linux checks for additional symlink libaio is performed.

8.2.3 Register the Host Machine That Will Run the Host Monitor

Learn how to register the host machine (or database server) that runs the Host Monitor.

To register a host in the Audit Vault Server, see Registering Hosts on Audit Vault Server.

8.2.4 Deploy the Audit Vault Agent and the Host Monitor

Learn how to deploy the Audit Vault Agent and the Host Monitor.

8.2.4.1 Deploying the Agent and Host Monitor on Windows Host Machine

Learn how to deploy Host Monitor on Windows platform.

Oracle Audit Vault and Database Firewall 20 supports Host Monitoring on Windows. This section contains the necessary details to be followed before upgrading from an older release in Oracle AVDF 12.2 or for a fresh installation of 20.

Details for Installing OpenSSL

OpenSSL 1.1.1g or a higher version must be installed on the Windows host machine.

Note:

While installing OpenSSL on Windows machine, you are prompted to choose a location to copy the OpenSSL DLLs as an additional configuration step. It is recommended that you choose the Windows System Directory option, as this location is added to the Path environment variable on Windows machine by default. Else, if you choose the OpenSSL bin directory option, then ensure the location is added to the Path environment variable.

Follow these steps to change environment variables after installing OpenSSL:

  1. In the Windows host machine, navigate to Control Panel.
  2. Click System, and then click Advanced system settings.
  3. In the Advanced tab, click on Environment Variables button.
  4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
  5. Click Edit button. The Edit environment variable dialog is displayed.
  6. Add the location of the OpenSSL bin directory at the beginning of the Path variable.

  7. Click OK to save the changes, and then exit all the dialogs.

Installing Npcap (for Fresh Installation of Host Monitor)

Note:

For Oracle AVDF release 20.6 and later, Npcap is automatically installed along with the Agent installation. Installing Npcap removes any existing installation of Npcap or WinPcap from the Windows host machine. The following steps are not required for release 20.6 and later.

Host Monitoring on Windows functionality requires Npcap. Follow these steps to install Npcap for a fresh installation of Host Monitor in release 20:

  1. Log in to Oracle Software Delivery Cloud.
  2. Note and follow Npcap manual installation details:

    • For Oracle AVDF release 20.5 and later, Npcap is automatically downloaded along with the Agent software (agent.jar) file. The Npcap installer file is available under Agent_Home\hm directory.

    • For Oracle AVDF release 20.4 and earlier, install Npcap that is available in the avdf20-utility.zip bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files. Ensure to install Npcap in WinPcap-API-compatible mode.

  3. Install Npcap. For Oracle AVDF releases 20.5 and earlier, complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode. Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.

Installing Npcap (Upgrade from Oracle AVDF release 20.4 (or earlier) to 20.5 (and later))

Host Monitoring on Windows functionality requires Npcap. Follow these steps to uninstall and reinstall the recent and updated Npcap version:

  1. Log in to Oracle Software Delivery Cloud.
  2. Reinstall Npcap that is available in the avdf20-utility.zip bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files. Ensure to reinstall Npcap in WinPcap-API-compatible mode.
  3. Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode. Installing Npcap in WinPcap API compatible mode removes any existing installation of Npcap or WinPcap from the Windows machine.

Installing Npcap (Upgrade from Oracle AVDF release 12.2 BP9 or BP10 to 20.1 (or later))

Host Monitoring on Windows functionality requires Npcap. Follow these steps to continue using Host Monitor on Windows from 12.2.0.9.0 or 12.2.0.10.0, before upgrading to Oracle Audit Vault and Database Firewall release 20:

  1. Stop the Audit Vault Agent running on the Windows host machine.
  2. Log in to 12.2 Audit Vault Server console as administrator.
  3. Verify the audit trails and the Audit Vault Agent are in STOPPED state.
  4. Log in to My Oracle Support, and download Npcap that is available with Oracle AVDF release 20 upgrade files.
  5. Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.

    Note:

    Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.
  6. Follow verification steps below to ensure Npcap installation is completed successfully.
  7. Restart the Audit Vault Agent on the Windows host machine.
  8. Start the network trails using the Audit Vault Server console.
  9. The Host Monitor is now powered by Npcap during runtime. Verify the network trail collection.
  10. Proceed with the appliance upgrade.

Note:

  • Ensure the audit trails and the Audit Vault Agent are in STOPPED state, before installing Npcap. Else, an error may be encountered.
  • Do not delete the DLL files as they are created newly by Npcap installation.
  • On Windows the Host Monitor is installed by the Audit Vault Agent. There are no separate Host Monitor installable bundle available for download in the Audit Vault Server console. There is no separate action required for installing Host Monitor on Windows.

Verification of Npcap Installation

Follow these steps after installing or upgrading Npcap:

  1. In addition to the Windows System directory, Npcap copies the DLL files to the Npcap sub-directory inside the Windows System directory. Do not remove the DLL files from the Windows System directory.

    Note:

    Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the Windows System directory which is already there in the system Path environment variable.
  2. Add the Npcap sub directory inside the Windows System directory to the Path environment variable, by following the steps below:

    1. Navigate to Control Panel.
    2. Click System, and then click Advanced system settings.
    3. In the Advanced tab, click on Environment Variables button.
    4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
    5. Click Edit button. The Edit environment variable dialog is displayed.
    6. Add the location of the Npcap DLL files at the beginning of the Path variable. For example: C:\Windows\System32\Npcap
    7. Click OK to save the changes, and then exit all the dialogs.
  3. Confirm the changes in the Path environment variable.
8.2.4.2 Deploying the Agent and Host Monitor on Unix Host Machine

Learn about deploying the Audit Vault Agent and Host Monitor on Unix hosts.

  1. Before you install the Host Monitor, ensure you have deployed the Audit Vault Agent.
  2. Log in as root and identify a root-owned directory on the local hard disk, such as /usr/local, where you will install the Host Monitor.

    Note: The entire directory hierarchy must be root-owned. All the directories in this hierarchy must have read and execute permission for other users or groups, but not write permission.

  3. Log in to the Audit Vault Server console as an administrator.
  4. Click the Agents tab.
  5. In the left navigation menu:
  6. On the page listing the agent software, click the Download button corresponding to your Unix version, and then save the .zip file to the root-owned directory (on the local hard disk) you identified in Step 2, for example /usr/local.
  7. As root user, unzip the Host Monitor file.

    This creates a directory named hm. This is your HM_Home directory, which in this example is /usr/local/hm.

  8. Ensure that the hostmonsetup file (in the hm directory) has execute permission.
  9. Run the following command:
    HM_Home/hostmonsetup install [agentuser=Agent_Username] [agentgroup=Agent_Group]
    
    • HM_Home - The directory created in Step 7.

    • Agent_Username - (Optional) Enter the username of the user who installed the Audit Vault Agent (the user who executed the java -jar agent.jar command).

    • Agent_Group - (Optional) Enter the group to which the Agent_Username belongs.

8.2.5 Create a Target for the Host Monitored Database

Learn how to create a target for the Host Monitor.

8.2.6 Create a Monitoring Point for the Host Monitor

Learn how to create a monitoring point for Host Monitor deployment.

A monitoring point is a logical entity on the Database Firewall host that contains the configuration and rules defined for monitoring the traffic received.

  1. Log in to the Audit Vault Server console as an administrator.
  2. Click the Targets tab.

    The Targets tab in the left navigation menu is selected by default.

  3. Select and click on a specific target from the list.
  4. From the Database Firewall Monitoring section on the main page, click on Add. The Database Firewall Monitor dialog is displayed.
  5. In the Basic tab (for 20.3 or later the name of the tab is Core), enter the name for the Database Firewall instance or select one from the list.
  6. Select Monitoring (Host Monitor) as the deployment type from the list. In this mode, the Database Firewall can only monitor the SQL traffic.
  7. Choose a Network Interface Card for the Database Firewall host from the list.

    Note:

    • For Oracle AVDF 20.2 and earlier, it is recommended to select a network interface card that is not used as a Management Interface. This segregates the traffic from Host Monitor to the Database Firewall and the traffic from the Database Firewall to Audit Vault Server.
    • For Oracle AVDF release 20.3 and later, you must select a network interface card which has an IP address configured. All the network interface cards which have an IP address configured are displayed in the Network Interface Card list. It is recommended to select a network interface card that is not used as a Management Interface. This segregates the traffic from Host Monitor to the Database Firewall and the traffic from the Database Firewall to Audit Vault Server.
  8. In the Connection Details section, select one or more targets for which the traffic needs to be monitored. You can Add the targets from the list.

    Note:

    For Oracle RAC, enter the IP address of the individual RAC node in the Target Connections field.

    Enter the following information for each available connection of the database. Click the Add button to add more targets and enter the following fields:

    • Host Name / IP Address
    • Port
    • Service Name (Optional, for Oracle Database only). SID can be used in this field. To enter multiple service names and/or SIDs, enter a new line for each of them, and then click Add. Multiple entries are allowed for monitoring only mode. To enforce different Database Firewall policies for different service names or SIDs on the same database, create a separate target and a monitoring point for each service name or SID.

    Note:

    Starting with Oracle AVDF release 20.7, for Linux hosts with multiple network devices, add a row for every network device from which the database traffic is expected to arrive.
  9. Click the Advanced tab, enter the number of Database Firewall Monitor Threads (minimum value is 1). This controls the number of traffic handling threads in the Database Firewall monitoring point. The default value is 1. This value can be increased when high transactions are reported (per second traffic) and packet dropped messages are reported in the /var/log/messages file. Contact Oracle Support while changing this number.
  10. Select the check box for Decrypt With Network Native Encryption Key field only for Oracle Database targets. This is for enabling decryption of traffic if the database is using Oracle Native encryption. Decrypt with network native encryption key option also supports retrieval of session information for Oracle Database. Complete the remaining fields as applicable.

    For Oracle standalone database targets, enter the IP address of the database listener in the IP Address field.

    For other database types (non Oracle) the field is Retrieve session information from target DB. Select this field to retrieve session information such as OS User Name, DB User Name, client application name, and IP address from the target database.

    Note:

    Ensure the Database Firewall is allowed to make a network connection to the above mentioned database.
  11. Click Save at the bottom of the dialog to save the configuration of the monitoring point.

    The new monitoring point appears in the list and starts automatically.

    Note:

    Default Database Firewall Policy will be applied for this Database Firewall Monitoring Point. This message is displayed at the bottom of the dialog.
  12. Click Save in the main page.
  13. To stop or restart the monitoring point, select it from the Database Firewall Monitoring section and click Stop or Start.

8.2.7 Create a Network Audit Trail

Learn how to create network audit trails.

Create an audit trail for each target you are monitoring with a Host Monitor. Specify NETWORK for the Audit Trail Type.

Note:

Ensure the collection attribute network_device_name_for_hostmonitor is mandatorily configured for the targets which are monitored by Host Monitor. The name of the network interface card is the attribute value. The network interface card receives all the network traffic of the target database.

Linux/AIX/Solaris hosts

Follow these steps to determine the value of the network_device_name_for_hostmonitor collection attribute:

  1. Determine the IP address on which the target database is configured to accept TCP traffic. Make a note of the IP address.

  2. Run the following command to list the network device details present in the database server:

    ifconfig -a
  3. From the output displayed, search for the IP address that was noted in the initial step. The corresponding name of the network card is the value of the collection attribute network_device_name_for_hostmonitor.

    Consider the example scenario mentioned below. The values in your system may be different.

    1. IP address of the target database: 192.0.2.10

    2. Output of ifconfig -a:

      eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

      inet 192.0.2.10 netmask 255.255.255.255 broadcast 192.0.2.11

    3. The device name is eth0.

Note:

Starting with Oracle AVDF release 20.7, in case there are multiple network devices from which the database traffic is expected to arrive, then set the value of the attribute network_device_for_hostmonitor to any.

Windows hosts

Follow these steps to determine the value of the network_device_name_for_hostmonitor collection attribute:

  1. Determine the IP address on which the target database is configured to accept TCP traffic. Make a note of the IP address.
  2. Run the following command to list the network device details present in the database server:
    ipconfig /all

    Note:

    This command displays the physical address, IPv4 Address, and other details for every device.
  3. From the output displayed, search for the device which has an IPv4 Address that was noted in the initial step. Make a note of the corresponding physical address.
  4. Run the following command:
    getmac
  5. Make a note of the device name against the physical address determined previously. Observe the device name being displayed in the following format:
    \Device\Tcpip_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
  6. Copy the device name to use as the collection attribute value by replacing Tcpip with NPF. Hence for a network card with the name \Device\Tcpip_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} the attribute value to be used is \Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.

    Consider the example scenario mentioned below. The values in your system may be different.

    1. IP address of the target database: 192.0.2.24
    2. Output of ipconfig /all:

      Ethernet adapter Ethernet 2:

      Connection-specific DNS Suffix . : foobar.example.com

      Physical Address. . . . . . . . . : 00-00-5E-00-53-12

      IPv4 Address. . . . . . . . . . . : 192.0.2.24

    3. Output of getmac command:

      Physical Address Transport Name

      00-00-5E-00-53-10 \Device\Tcpip_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx10}

      00-00-5E-00-53-11 \Device\Tcpip_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx11}

      00-00-5E-00-53-12 \Device\Tcpip_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx12}

      In this example, the IP address is 192.0.2.24 corresponding to physical address 00-00-5E-00-53-12. Hence, the device name is \Device\Tcpip_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx12}.

      Attribute value to be used is \Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx12}.

    Note:

    This does not involve changing the network device name at a system level.

8.3 Starting, Stopping, and Other Host Monitor Operations

Learn about starting, stopping, and other host monitor operations.

8.3.1 Starting the Host Monitor

Learn how to start the host monitor.

Starting the host monitor consists of starting collection for the NETWORK audit trail on the host you are monitoring.

To start the host monitor from the Audit Vault Server console:

  1. Log in to the Audit Vault Server console as an administrator.
  2. Start the audit trail(s) you created for host monitoring in Create a Network Audit Trail.

8.3.2 Stopping the Host Monitor

Learn how to stop the host monitor.

To stop the host monitor, stop the audit trail you created for the target that is being monitored. See "Stopping, Starting, and Autostart of Audit Trails in Oracle Audit Vault Server".

8.3.3 Changing the Logging Level for a Host Monitor

Learn about changing the logging level for host monitors.

8.3.4 Viewing Host Monitor Status and Details

Learn how to view the host monitor status and details.

You can view whether a host monitor is installed, and information such as its location, version, update time, and other details.

To view host monitor status and details:

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click the Agents tab.
  3. In the left navigation menu, select Agent Hosts.
  4. In the page that appears, check the Host Monitor Status and the Host Monitor Details columns for the host you are interested in.

8.3.5 Checking the Status of a Host Monitor Audit Trail

Learn how to check the status of a host monitor audit trail.

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click the Targets tab, and then from the left navigation menu, select Audit Trails.
  3. In the status page that appears, in the Audit Trail Type column, search for audit trails of type NETWORK to find audit trails for host monitors.

8.3.6 Uninstalling the Host Monitor (Unix Hosts Only)

Learn about unistalling the host monitor on Unix systems.

This procedure applies to Unix hosts only. There is no install or uninstall for Windows hosts.

To uninstall a host monitor:

  1. Log in to the host computer as root.
  2. From the HM_Home directory (where you installed the host monitor in Step 7) run the following command:

    hostmonsetup uninstall

8.4 Updating the Host Monitor (Unix Hosts Only)

Learn how to update the host monitor on Unix systems.

When you update the Audit Vault Server to a future release, the host monitor is automatically updated.

If your current release is prior to 12.1.2, refer to the README included with upgrade software or patch updates for instructions on how to update the host monitor.

See Also:

Oracle Audit Vault and Database Firewall Installation Guide for information on downloading upgrade software.

8.5 Using Certificate-based Authentication for the Host Monitor

Learn to use certificate-based authentication for host monitors.

By default, the Database Firewall allows the host monitor connection based on verifying the host's (originating) IP address.

If you want the additional security of using certificate-based authentication for the host monitor, follow these procedures after the host monitor is installed:

8.5.1 Requiring a Signed Certificate for Host Monitor Connections to Database Firewall

Learn how to configure the requirement for a signed certificate for Host Monitor connections to Database Firewall.

To require a signed certificate for Host Monitor connections:

  1. Stop the Host Monitor if it is running.
  2. At the Database Firewall, log in as root, and run the following commands:
    cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt
    chown dbfw:dbfw /usr/local/dbfw/etc/fw_ca.crt
    chmod 400 /usr/local/dbfw/etc/fw_ca.crt
  3. Run the following command to restart the Database Firewall traffic processing processes:

    /usr/local/dbfw/bin/dbfwctl restart

Related Topics

8.5.2 Getting a Signed Certificate from Audit Vault Server

Learn how to obtain a signed certificate from Audit Vault Server.

Follow this procedure for each host machine that is running Host Monitor. The Host Monitor should already be installed.

To get a signed certificate from the Audit Vault Server, follow these steps:

  1. Log in to the Audit Vault Server as root.
  2. Go to the directory /usr/local/dbfw/etc.
  3. Run the following two commands:
    openssl genrsa -out hmprivkey.perm 2048
    openssl req -new -key hmprivkey.perm -out hmcsr.csr -subj "/CN=Hostmonitor_Cert_hostname/"

    The hostname is the name of the database server where the Audit Vault Agent is installed.

  4. To generate one signed certificate, run the following command:
    /usr/local/dbfw/bin/generate_casigned_hmcert.sh

    The signed certificate file hmcert.crt is generated in the directory /usr/local/dbfw/etc.

  5. Copy the following files from the Audit Vault Server to the Agent_Home/hm directory on the database server where the Audit Vault Agent is installed:

    /usr/local/dbfw/etc/hmcert.crt

    /usr/local/dbfw/etc/hmprivkey.perm

  6. (Unix Hosts only) As root, run the following commands:
    chown root:root Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
    chmod 400 Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
  7. (Windows Hosts only) Ensure the files hmcert.crt and hmprivkey.perm have Agent user ownership and appropriate permissions to prevent unwanted user access.
  8. Start the Host Monitor to capture network traffic.
  9. Repeat this procedure for every host running Host Monitor.

Related Topics