topic Re: Cppcap - exit after X files? in Firewall and Security Management

Cppcap - exit after X files?

Mikael — Fri, 11 Nov 2022 11:54:55 GMT

Hello,

While troubleshooting an issue for a customer I had to collect a bunch of traffic and I tried to use cppcap but have a few questions that I just want check if anyone else has seen and solved somehow.

The issue I was troubleshooting required me to collect traffic over a long period. While setting up the capture I was looking for a way to automatically exit after having saved X amount of data. As far as I could see, the only option was

-b <NUM>

capture NUM bytes before stopping

but to the best of my understanding this is a counter of collected data on the wire, not amount of data saved to a file...

Has anyone found a way of collecting (for example) 10 files, each 1GB large and then exit?

-w <FMT>	file size limit with rotation followed by 'K'ilo,'M'ega or 'G'iga. Default is bytes
-W <NUM>	use up to NUM files with rotation (use with '-w')

-w and -W will limit size and number of files but it will rotate forever and not exit after reaching the value of -W.

Also, if using -I to capture on multiple interfaces, is there afterwards any reference to the interface on which the packet was captured?

Cheers

Reference:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk141412

Re: Cppcap - exit after X files?

the_rock — Fri, 11 Nov 2022 17:40:12 GMT

Can you please provide exact syntax you did? I would like to test it in the lab and see what I get.

Andy

Re: Cppcap - exit after X files?

Mikael — Fri, 11 Nov 2022 19:23:35 GMT

It would have been something like:

cppcap -I <external nic> -o filename.pcap -w 1G -W 10 -DNT -f "host X.X.X.X"

I also tried to add the -b but as I wrote that seems to be the data on the wire, not written to files...

[Expert@gbgfw1:0]# cppcap -I eth4 -o filename.pcap -w 1K -W 10 -DNT -f "host 192.168.1.5" -b10000
67 packets captured (9.848 KB)

[Expert@gbgfw1:0]#[Expert@gbgfw1:0]# ls -ltr

-rw-rw---- 1 admin root 1105 Nov 11 20:19 filename.pcap
-rw-rw---- 1 admin root 1135 Nov 11 20:19 filename.pcap_1
-rw-rw---- 1 admin root 1062 Nov 11 20:19 filename.pcap_2
-rw-rw---- 1 admin root 1065 Nov 11 20:20 filename.pcap_3
-rw-rw---- 1 admin root 1054 Nov 11 20:20 filename.pcap_4
-rw-rw---- 1 admin root 1147 Nov 11 20:20 filename.pcap_5
-rw-rw---- 1 admin root 562 Nov 11 20:20 filename.pcap_6
[Expert@gbgfw1:0]#

Re: Cppcap - exit after X files?

the_rock — Fri, 11 Nov 2022 20:14:26 GMT

I see what you mean, Im not getting desires result either, definitely NOT rotating. I put -W 10 as you mentioned, but only got 3

[Expert@GATEWAY:0]# cppcap -I eth0 -o filename.pcap -w 1K -W 10 -DNT -f "host 172.16.10.178" -b10
1 packets captured (78 B)

[Expert@GATEWAY:0]# ls -lf
.toprc tcpdumpradius.out .clish_history tcpdumpradius1.out
filename.pcap_1 fwmonitor.out .ssh .
.lvm_history .bash_history last_dump.log filename.pcap_2
filename.pcap .bash_logout .. .cpsizeme.log
.mgmt_cli .lesshst .bash_profile .bashrc
[Expert@GATEWAY:0]# ls -lh
total 28K
-rw-rw---- 1 admin root 118 Nov 11 15:11 filename.pcap
-rw-rw---- 1 admin root 1.1K Nov 11 15:09 filename.pcap_1
-rw-rw---- 1 admin root 1.1K Nov 11 15:10 filename.pcap_2
-rw-rw---- 1 admin root 1.3K Feb 9 2022 fwmonitor.out
-rw-r--r-- 1 admin root 1.9K Oct 24 11:12 last_dump.log
-rw-rw---- 1 admin root 1 Feb 9 2022 tcpdumpradius.out
-rw-rw---- 1 admin root 1 Feb 9 2022 tcpdumpradius1.out
[Expert@GATEWAY:0]#

Re: Cppcap - exit after X files?

Mikael — Fri, 11 Nov 2022 20:15:28 GMT

Well, if you remove the -b it will rotate, but that's not what I wanted 😀

I want 10 files, 1GB large and then exit..

Re: Cppcap - exit after X files?

the_rock — Fri, 11 Nov 2022 20:27:22 GMT

Ah, I see, ok :). Well, that SORT of works, BUT...does not exit on its own, I had to stop it myself. Let me play around with it, very interesting to see if we can figure it out.

Andy

[Expert@GATEWAY:0]# ls -lh
total 68K
-rw-rw---- 1 admin root 118 Nov 11 15:11 filename.pcap
-rw-rw---- 1 admin root 1.1K Nov 11 15:09 filename.pcap_1
-rw-rw---- 1 admin root 1.1K Nov 11 15:10 filename.pcap_2
-rw-rw---- 1 admin root 1.3K Feb 9 2022 fwmonitor.out
-rw-r--r-- 1 admin root 1.9K Oct 24 11:12 last_dump.log
-rw-rw---- 1 admin root 1 Feb 9 2022 tcpdumpradius.out
-rw-rw---- 1 admin root 1 Feb 9 2022 tcpdumpradius1.out
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap
-rw-rw---- 1 admin root 1.2K Nov 11 15:25 test.pcap_1
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_2
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_3
-rw-rw---- 1 admin root 1016 Nov 11 15:25 test.pcap_4
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_5
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_6
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_7
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_8
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_9
[Expert@GATEWAY:0]#

Re: Cppcap - exit after X files?

Mikael — Fri, 11 Nov 2022 20:29:18 GMT

Yes exactly, which is probably fine in some scenarios.

In my scenario though I wanted traffic from a certain timestamp and I had 20GB disk free to save it on so I wanted it to exit once 20GB was collected...

Re: Cppcap - exit after X files?

PhoneBoy — Sat, 12 Nov 2022 13:54:25 GMT

I suspect the precise functionality you're looking for is an RFE.
Having said that, you could probably do a combination of cppcap and a script that monitors for the creation of capture files.
Once you've captured X files, kill cppcap.
To facilitate this: use -W 11 (one more capture file than you want)

Re: Cppcap - exit after X files?

Timothy_Hall — Sat, 12 Nov 2022 19:00:09 GMT

If it is possible the author of the cppcap tool will know. @aviadhah