Check Point CPPCAP Interactive Helper

Vincent_Bacher — Wed, 21 Jan 2026 15:49:11 GMT

🔍 Check Point CPPCAP Interactive Helper

An interactive wrapper script for Check Point's cppcap tool that simplifies packet capture operations on Security Gateways and Management Servers.

📋 What it does

This script guides you through all available cppcap options interactively, eliminating the need to remember complex command-line syntax.

✨ Key Features:

Smart interface selection - Shows only UP interfaces and supports capture on all interfaces or specific include/exclude filtering
Interactive filter building - Step-by-step filter creation with IP validation, or manual pcap-filter syntax entry
IP validation - Validates IP addresses and CIDR notation to prevent syntax errors before execution
Flexible output - Save to file with rotation support, or display on screen with verbose layer details (L2/L3/L4)
VSX support - Include or exclude specific Virtual Systems (VSID)
Capture limits - Set frame count, byte limits, and snaplen for precise control

🚀 Installation

Copy the script to your Check Point Gateway/SMS and make it executable:

# Copy script to gateway
scp cppcap_helper.sh admin@<your-gateway>:/home/admin/

# Connect via SSH
ssh admin@<your-gateway>

# Switch to Expert mode
expert

# Make script executable
chmod +x cppcap_helper.sh

# Run the script
./cppcap_helper.sh

⚠️ Important: The script must be run in Expert mode (as root).

💡 Why use this?

Before: Complex command-line syntax

cppcap -i eth0 -f 'src host 10.1.1.1 and dst net 192.168.0.0/16 and tcp and port 443' \
       -c 0 -p 1000 -o /var/log/capture.pcap -w 100M -W 10

After: Just run the script and answer a few simple questions!

./cppcap_helper.sh

🎯 Perfect for:

Quick troubleshooting when you need a packet capture fast
Junior admins who don't know all cppcap parameters by heart
Situations where you can't remember the exact pcap-filter syntax
Avoiding typos in complex filter expressions
Consistent capture configuration across teams

📝 Author

Vincent Bacher

Feel free to share feedback or suggestions for improvements in this thread!

# ./cppcap_helper.sh ================================================ Check Point CPPCAP - Interactive Helper ================================================ ℹ Press ENTER to skip any option (use default/none) === Interface Configuration === ℹ Available interfaces (UP only): - bond0 - bond1 - bond2 - bond3 - eth2-01 - eth2-02 - eth2-03 - eth2-04 - eth3-01 - eth3-02 - eth3-03 - eth3-04 Enter interface name (empty=all interfaces, e.g., eth0, eth1): ℹ Will capture on ALL interfaces === Filter Configuration === How do you want to specify the filter? [i/m/n] (i=interactive, m=manual, n=none): i ℹ Building filter interactively... Source IP/Network (e.g., 192.168.1.0/24): 10.10.10.0/25 Destination IP/Network (e.g., 10.0.0.1): 1.1.1.1 Protocol [tcp/udp/icmp/arp]: tcp Port number (leave empty for any): 22 Exclude SSH (port 22)? [Y/n]: n ℹ Generated filter: src net 10.10.10.0/25 and dst host 1.1.1.1 and tcp and port 22 === Traffic Direction === Capture direction? [B/i/o] (B=both (default), i=inbound, o=outbound): ℹ Capturing BOTH directions (default) === Capture Limits === Maximum number of frames to capture (empty=unlimited): 1000 ℹ Will capture max 1000 frames Maximum bytes to capture total (empty=unlimited): 1000 ℹ Will capture max 1000 bytes total Maximum bytes per frame [default=96] (0=unlimited): === Virtual System Configuration (VSX) === Are you running VSX/VSNext? [y/N]: === Output Configuration === Save to file or display on screen? [f/S] (f=file, S=screen (default)): f Output file path (e.g., /var/log/capture.pcap or capture.pcap): ⚠ No file specified, using: /home/lalala/cppcap.pcap Enable file rotation? [y/N]: y Maximum file size [e.g., 100M, 1G]: 10M Maximum number of rotated files (e.g., 10): 3 ℹ Will rotate at 10M, keeping 3 files === Ready to Execute === Command to be executed: cppcap -i any -f 'src net 10.10.10.0/25 and dst host 1.1.1.1 and tcp and port 22' -p 1000 -b 1000 -o cppcap.pcap -w 10M -W 3 ℹ Output will be saved to: cppcap.pcap ℹ You can analyze it later with: tcpdump -r cppcap.pcap Execute this command? [Y/n]:

Re: Check Point CPPCAP Interactive Helper

the_rock — Wed, 21 Jan 2026 15:57:45 GMT

Nice one, Vince!

Re: Check Point CPPCAP Interactive Helper

Vincent_Bacher — Thu, 22 Jan 2026 11:02:54 GMT

New version with support of colorized output.

topic Re: Check Point CPPCAP Interactive Helper in Scripts

Check Point CPPCAP Interactive Helper

🔍 Check Point CPPCAP Interactive Helper

📋 What it does

🚀 Installation

💡 Why use this?

🎯 Perfect for:

📝 Author

Re: Check Point CPPCAP Interactive Helper

Re: Check Point CPPCAP Interactive Helper