topic Tcpdump + Zdebug in Firewall and Security Management

Tcpdump + Zdebug

kobilevi — Thu, 09 Jun 2022 11:56:45 GMT

Hi Checkmates !

I wanted to know if Checkpoint has a complete guide to tcpdump and zdebug

Anyone know of one?
Thanks

Re: Tcpdump + Zdebug

the_rock — Thu, 09 Jun 2022 12:19:53 GMT

Can you explain please? What kind of guide? You can refer to below

https://gist.github.com/tuxfight3r/9ac030cb0d707bb446c7

Re: Tcpdump + Zdebug

kobilevi — Thu, 09 Jun 2022 12:23:51 GMT

Hi I am looking for a complete guide for beginners to zdebug and tcpdump for checkpoint gateways

Re: Tcpdump + Zdebug

G_W_Albrecht — Thu, 09 Jun 2022 12:25:15 GMT

tcpdump is not a CP software 😉

sk100808: How to use " fw ctl zdebug" command

sk30583: What is FW Monitor?

Re: Tcpdump + Zdebug

the_rock — Thu, 09 Jun 2022 12:30:36 GMT

Just google it, bunch of links come up with useful flags.

Re: Tcpdump + Zdebug

Oliver_Fink — Thu, 09 Jun 2022 12:36:27 GMT

Maybe you want to use cppcap instead of tcpdump. Have a look at sk141412: cppcap - A Check Point Traffic Capture Tool…

It uses pcap-filter(7) as syntax and has no hassle with SecureXL.

Re: Tcpdump + Zdebug

Timothy_Hall — Thu, 09 Jun 2022 12:42:45 GMT

You may want to check out my 2021 CPX presentation here which summarizes the packet capturing options on Check Point:

https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/member-exclusives/484/2/CPX_Preso_TimHall_FINAL.pdf

This presentation was derived from my self-guided video series "Max Capture: Know Your Packets" which thoroughly covers all the packet capture tools including tcpdump along with fw ctl zdebug + drop as well. There are also free updates to the original class available here:

Max Capture Update 1: Taking "Triggered" Packet Captures

Max Capture Update 2: Debug Filter Battle -- fw monitor -F vs. fw ctl zdebug + drop

Re: Tcpdump + Zdebug

PhoneBoy — Fri, 10 Jun 2022 21:52:54 GMT

tcpdump: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100021&partition=Advanced&product=X-Series
fw ctl debug: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk171943&partition=Advanced&product=Quantum

Re: Tcpdump + Zdebug

Vladimir_S — Mon, 24 Apr 2023 02:10:02 GMT

tcpdump link is the broken.

Vlad.

Re: Tcpdump + Zdebug

Blason_R — Mon, 24 Apr 2023 03:10:12 GMT

Well there are bunch of ATRG available in support center. Those are more than enough to start with and then as suggested by community google can be your best friend. I specifically have learned using r&d on test setup.

Re: Tcpdump + Zdebug

Chris_Atkinson — Mon, 24 Apr 2023 05:35:09 GMT

Note tcpdump isn't specific to check point.

We recommend using CPPCAP (sk141412) as an alternative

Re: Tcpdump + Zdebug

PhoneBoy — Tue, 25 Apr 2023 02:13:40 GMT

Looks like an SK that isn't on the new Support Center as of yet.
I've reported this issue internally.
Meanwhile, you should be able to see it here: https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100021&partition=Advanced&product=X-Series