https://community.checkpoint.com/t5/Firewall-and-Security-Management/cppcap-and-IPv6-host-filters/m-p/154357#M26145 <P>Hey Chris, thanks for that idea. While fw6 monitor -F works for very simple scenarios and the performance impact is not as bad as with tcpdump, it is still much more ressource intensive compared to cppcap. And we have all the overhead from the multiple chain position capturing.</P> <P>I will try asking the sk owner first, if that does not work, I will file a TAC case. Just wanted to ask community first, maybe I am just doing it wrong.</P> Tue, 02 Aug 2022 13:59:19 GMT Tobias_Moritz 2022-08-02T13:59:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/cppcap-and-IPv6-host-filters/m-p/154272#M26114 <P>Hello Check Mates,</P> <P>cppcap is out for quite a while now, but everytime when I want to do IPv6 captures with it, I am struggeling with the filter syntax.</P> <P data-unlink="true"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk141412" target="_self">sk141412</A> tells us, that IPv6 is supported and the filter syntax is the one from libpcap. However, filter strings with IPv6 hosts which work in tcpdump do not work with cppcap.</P> <PRE data-unlink="true">cppcap -f 'host 2a02:26f0:12d:58c::4b36 or host 2a02:26f0:12d:59c::4b36' -o test.pcap -w 10M -W 2</PRE> <P data-unlink="true">is not showing any error message, but also not capturing traffic.</P> <PRE data-unlink="true">cppcap -f 'host c1-word-view-15.cdn.office.net' -o test.pcap -w 10M -W 2</PRE> <P data-unlink="true">is capturing the IPv6 traffic, showing exactly the IPv6 addresses in capture, that I used for the filter above. The FQDN used here resolves to the two IPv6 addresses shown above.</P> <P data-unlink="true">When using tcpdump:</P> <PRE data-unlink="true">tcpdump -i eth0 -w test.pcap host 2a02:26f0:12d:58c::4b36 or host 2a02:26f0:12d:59c::4b36</PRE> <P data-unlink="true">it is working fine.</P> <P data-unlink="true">Am I holding it wrong? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P data-unlink="true">Does anyone got cppcap to work with IPv6 host filter strings?</P> <P data-unlink="true">The workaround in using tcpdump instead of cppcap is not suitable in production, because of the load (as mentioned in the sk).</P> <P data-unlink="true">The workround in using FQDN instead of IPv6 address in filter string is not suitable for obvious reasons.</P> <P data-unlink="true">Version: R80.40 JHF T161.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Thank you for any ideas!</P> Mon, 01 Aug 2022 13:53:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/cppcap-and-IPv6-host-filters/m-p/154272#M26114 Tobias_Moritz 2022-08-01T13:53:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/cppcap-and-IPv6-host-filters/m-p/154344#M26139 <P>Can you get what you need from "fw monitor" rather than tcpdump?</P> <P>Otherwise if the syntax is not operating as you expect I would work the examples through further with TAC.</P> Tue, 02 Aug 2022 13:22:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/cppcap-and-IPv6-host-filters/m-p/154344#M26139 Chris_Atkinson 2022-08-02T13:22:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/cppcap-and-IPv6-host-filters/m-p/154357#M26145 <P>Hey Chris, thanks for that idea. While fw6 monitor -F works for very simple scenarios and the performance impact is not as bad as with tcpdump, it is still much more ressource intensive compared to cppcap. And we have all the overhead from the multiple chain position capturing.</P> <P>I will try asking the sk owner first, if that does not work, I will file a TAC case. Just wanted to ask community first, maybe I am just doing it wrong.</P> Tue, 02 Aug 2022 13:59:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/cppcap-and-IPv6-host-filters/m-p/154357#M26145 Tobias_Moritz 2022-08-02T13:59:19Z