Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.2.1 - Safeguard Desktop Player User Guide

Summary of changes Features and limitations Installing Safeguard Desktop Player First steps Validating audit trails Replaying audit trails Replaying encrypted audit trails Replaying encrypted audit trails from the command line Replaying audit files in follow mode Searching in the content of the current audit file Search query examples Exporting the audit trail as video Exporting the sound from an audit trail Exporting zat and zatx files Sharing an encrypted audit trail Replaying X11 sessions Exporting transferred files from SCP, SFTP, HTTP, and RDP audit trails Exporting raw network traffic in PCAP format Exporting screen content text Troubleshooting the Safeguard Desktop Player Keyboard shortcuts

Exporting raw network traffic in PCAP format

You can choose to convert audit trails to packet capture (PCAP) format, which is a common file format for storing network traffic.

Exporting raw network traffic in PCAP format using the command line

This section describes how to export raw network traffic in PCAP format using the command line.

To export raw network traffic in PCAP format using the command line

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player.

By default, the installation directories on the different operating systems are the following:

  • On Microsoft Windows platforms: C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\

  • On Linux: ~/SafeguardDesktopPlayer

  • On MacOS: /Applications/Safeguard Desktop Player.app/Contents/Resources/

  1. List the channels in the audit trail, and find the ones that you want to export. Note down the ID number of the channels as it will be required later on (it is 3 in the following example).

    • Windows: adp.exe --task channel-info --file <path/to/audit-trail.zat>

    • Linux or MacOS: ./adp --task channel-info --file <path/to/audit-trail.zat>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected. Example output:

    Channel information : ssh-session-exec-scp:3
  2. Export the channels from the audit trail. Use the ID numbers of the channels from the previous step.

    • Windows: adp.exe -f <path/to/audit-trail.zat> -c <channel id> -t indexer --export-pcap output.pcap

    • Linux or MacOS: adp -f <path/to/audit-trail.zat> -c <channel id> -t indexer --export-pcap output.pcap

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected.

  3. Check the output directory for the exported files.

Exporting raw network traffic in PCAP format using the GUI

This section describes how to export the channels stored in the audit trail using the GUI.

To export the channels stored in the audit trail using the GUI

  1. Open the audit trail in the Safeguard Desktop Player application.

    If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replaying encrypted audit trails.

  2. Click EXPORT > Export pcap.

    The Select folder dialog pops up.

  3. Select the directory where you want to save the files. Click Choose.

    Once the export process is finished, a FILES dialog pops up, indicating the number of exported files in brackets and listing the files that have been exported.

    Files have a number in their names, used for identifying the channels.

Exporting screen content text

This section describes how to export screen content text from text-based protocols (terminal-based protocols and HTTP) in TXT format. Screen content text is saved into files as UTF-8 encoded text with UNIX timestamps.

To export screen content text from text-based protocols (terminal-based protocols and HTTP) in TXT format

  1. Open the audit trail in the Safeguard Desktop Player application.

    If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replaying encrypted audit trails.

  2. Click EXPORT > Export screen content text.

    The Select folder dialog pops up.

  3. Select the directory where you want to save the files. Click Choose.

    Once the export process is finished, a FILES dialog pops up, indicating the number of exported files in brackets and listing the files that have been exported.

    Filenames follow a pattern. Take the following example:

    1415176790.648000-1415176793.926000.txt

    Where:

    • the numbers before the hyphen (-) indicate the beginning of the interval in the session where the screen content text occurred

    • the numbers after the hyphen (-) indicate the end of the interval in the session where the screen content text occurred

    • the numbers are provided in UNIX timestamp format

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating