topic Re: tcpdump any interface didn't show interface in R80.40 in Firewall and Security Management

tcpdump any interface didn't show interface in R80.40

Daniel_ — Fri, 26 Feb 2021 12:03:26 GMT

Hello Experts,

with pre R80.40 systems I captured with

tcpdump -Penni any <pcap-filter>

and got the interface:

12:19:15.061879 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 443932:444192(260) ack 1769 win 47888
12:19:15.061883 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 443932:444192(260) ack 1769 win 47888
12:19:15.062010 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444192:444452(260) ack 1769 win 47888
12:19:15.062014 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444192:444452(260) ack 1769 win 47888
12:19:15.062141 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444452:444712(260) ack 1769 win 47888
12:19:15.062145 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444452:444712(260) ack 1769 win 47888
12:19:15.062277 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444712:444972(260) ack 1769 win 47888

With R80.40 "-P" is not possible. I used "-Q inout" but I didn't get the interfaces.

With cppcap you can get it in text output but not in capture/wireshark.

I need something like this (captured with "tcpdump -Penni any" on R80.20)

Any ideas to get interfaces in text output with tcpdump and also in capture file (for wireshark) back?

Bye

Re: tcpdump any interface didn't show interface in R80.40

Timothy_Hall — Fri, 26 Feb 2021 14:53:04 GMT

As mentioned in my Max Capture class, the tcpdump 3.9.4 version bundled with Gaia 2.6.18 had the -P flag directly hacked in to the tcpdump binary by Check Point to display the interface name in CLI output.

When Gaia 3.10 was introduced the version of tcpdump was updated to version 4.9.0 and the -P hack went away with it. Will probably need to submit an RFE to get this put back in. Alternatively it looks like tcpdump version 4.9.9 now natively supports displaying the interface name in the CLI output. As a further motivator for an RFE, the tcpdump changelog (https://www.tcpdump.org/tcpdump-changes.txt) notes that literally dozens of CVE vulnerabilities were fixed in tcpdump versions 4.9.2 and 4.9.3, so perhaps R&D could just update tcpdump to 4.9.9 via Jumbo HFA and kill two birds with one stone. Tagging @PhoneBoy for R&D coordination.

As an workaround for now just use cppcap (my preferred tool) or there is the "anydump" script:

https://sebastianhaas.de/anydump-release/

Re: tcpdump any interface didn't show interface in R80.40

Daniel_ — Fri, 26 Feb 2021 15:26:42 GMT

Thanks for the fast answer.

If "-P" is always build in: If I start (on R80.40)

tcpdump -s0 -w file.cap -enni any host <pcap-filter>

I can't see the interface information inside Wireshark as shown in my screenshot in my first post (and also not with my preferred tool cppcap 😏).

BTW: I read you presentation and didn't got the information that "-P" is build in 😮

Re: tcpdump any interface didn't show interface in R80.40

Timothy_Hall — Fri, 26 Feb 2021 16:10:43 GMT

You can't see the interface name in Wireshark because it is not embedded in the pcap file in the first place. If doing a live capture or a replay with version 4.9.9, tcpdump can only display the interface information because it is looking at the live interface configuration of the system it is running on, and can calculate the interface name for display. If a pcap file created by tcpdump/cppcap is replayed on a different system or viewed in Wireshark, the interface name information is not supported by the pcap format at all, and is simply not available. Using the hacked-in -P option embedded the interface name into the pcap file in what I assume is an unsupported way, as seen in your screenshot. pcapng (which is still experimental) will address this by including interface name information right in the capture file.

So without the -P hack you are basically stuck, and cannot see interface information in Wireshark with pcap captures generated by cppcap/tcpdump. It would be a very interesting feature if cppcap had an option to output its captures in pcapng format (which would include interface name information embedded in the capture) instead of standard pcap format, so I'm going to tag cppcap's author @Aviad_Hadarian who also got a shout out in my 2021 CPX presentation.

As a workaround you could use fw monitor -F, which can capture accelerated traffic and has the interface name information along with capture points embedded in its capture file output in the "snoop" file format, which does support including the interface name. You'll need to set up Wireshark to display this properly as described here: sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet. However be sure to read my stern warning in the presentation about how fw monitor -F can blast you with an unfiltered capture if you make a mistake with your filter, so double-check your filtering syntax and always use the -ci and/or -co options to automatically limit the number of packets captured by fw monitor -F just in case you do make a mistake.

I suppose you could take the older tcpdump binary from a R80.20 system and copy it over to a Gaia 3.10 system and try to run it, but that is unlikely to work and most definitely not supported.

Re: tcpdump any interface didn't show interface in R80.40

Aviad_Hadarian — Sun, 28 Feb 2021 06:29:00 GMT

@Timothy_Hall thank you for you kind words, I don't think it too problematic to add interface names if such thing is available in libpcap, will look

Re: tcpdump any interface didn't show interface in R80.40

Daniel_ — Mon, 01 Mar 2021 07:30:47 GMT

Thanks to take a look to this. And an other RFE 😉

Can you add a fileinfo in the pcap file (as f5 does)?

This would also help TAC to interpret captures.

Re: tcpdump any interface didn't show interface in R80.40

Aviad_Hadarian — Mon, 01 Mar 2021 09:35:06 GMT

That's Nice but will require special extension in wireshark

Re: tcpdump any interface didn't show interface in R80.40

Daniel_ — Mon, 01 Mar 2021 12:04:40 GMT

I'm running Wireshark 3.4.3 and didn't installed any plugins (AFAIK)...