topic Re: Sniffers in VSX environments in Firewall and Security Management

Sniffers in VSX environments

Matlu — Mon, 17 Mar 2025 17:53:09 GMT

Hello.

Is it possible to apply a TCPDUMP or CPPCAP on a particular vsenv, and “export” the result in a pcap file?

Now, if it is possible to do this, how would you get the pcap file?

Would I have to connect by WinSCP (for example), to my VS0. or can I connect by WinSCP directly to a particular vsenv, to be able to extract the pcap file and be able to review it?

Thanks for your comments.

Re: Sniffers in VSX environments

Bob_Zimmerman — Mon, 17 Mar 2025 18:18:51 GMT

You can start a capture in a particular VS in a few ways:

vsenv 5 tcpdump ... # Or from any VS: ip netns exec CTX00005 tcpdump ...

The "CTX00005" is the name of the VS. It's the VSID padded with leading zeros to be five digits. VS 123 would be CTX00123. You can see all of them by running 'ip netns list'.

As for getting the capture file later, VSs are just network namespaces. They have separate routing tables and firewall policies, but that's it. It's all one server running one OS with one filesystem. They're much less isolated than virtual machines, for example.

Re: Sniffers in VSX environments

the_rock — Mon, 17 Mar 2025 18:20:40 GMT

Bro,

I literally built VSX lab this morning just to CONFIRM this, since you asked about it in the other sxl post, haha. And yes, what @Bob_Zimmerman said is exactly right.

Andy

Re: Sniffers in VSX environments

Matlu — Mon, 17 Mar 2025 19:11:58 GMT

So, is it possible to run a tcpdump or cppcap from VS0 itself but ‘focused’ on a particular vsenv, and save the result in a pcap?

For example I have the need to run a capture from my vsenv 2, with source 192.168.20.100 and destination 10.100.20.10 by icmp service.

Could you show me the example of the syntax of the command, being 'stopped' in the VS0?

Thank you.

Re: Sniffers in VSX environments

Lesley — Mon, 17 Mar 2025 19:35:46 GMT

cppcap -o capturenam.pcap -v 2 -f " host 192.168.20.100 and host 10.100.20.10 "

Re: Sniffers in VSX environments

the_rock — Mon, 17 Mar 2025 19:38:07 GMT

Check out the site my colleague made ages ago, has bunch of different options for major fw vendors when doing common captures.

Andy

https://tcpdump101.com/#

Re: Sniffers in VSX environments

Matlu — Fri, 21 Mar 2025 17:08:48 GMT

Hi, Lesley

To this cppcap command syntax that you have shared, can you “add” the option to capture on a special interface?

I want to capture for example the traffic related only to VS 2 on its bond2.1095 interface.

Could you share with me how would be the syntax in this case, to capture it in a pcap file?

Regards

Re: Sniffers in VSX environments

Lesley — Fri, 21 Mar 2025 19:07:58 GMT

Here you go:

cppcap -o capturenam.pcap -v 2 -i bond2.1095 -f " host 192.168.20.100 and host 10.100.20.10"

Re: Sniffers in VSX environments

Matlu — Fri, 21 Mar 2025 19:58:52 GMT

Thanks for the help, Lesly.

Just out of curiosity and concern.

Does this way of working with “cppcap” apply the same if anyone uses “tcpdump”?

I mean for example, from my VS 0, I can still run a “tcpdump” pointing to a particular VS?

Thanks for the clarification.

Re: Sniffers in VSX environments

Lesley — Fri, 21 Mar 2025 20:58:43 GMT

Yes you still can tcpdump as stated before in this topic. In VS0 or any other VS.

But officially Check Point recommends cppcap for various reasons like:

Symptoms

In some scenarios, when running tcpdump with a filter to "any" interface, the output shows no traffic.
When removing the Health Probe configuration from the fwkern.conf file, the traffic is captured.

Cause

Some traffic types go directly to a specific interface's queue, while avoiding any socket tcpdump listens to. This causes tcpdump to not catch this traffic.

Solution

Use CPPCAP - a Check Point Traffic Capture Tool instead. It show all traffic in these scenarios.
Check Point recommends to use CPPCAP for traffic capture. CPPCAP is a traffic capture tool which provides the most relevant outputs and is similar to tcpdump.

Or:

Check Point created a traffic capture tool for Gaia OS - CPPCAP.
This is a traffic capture tool that provides the most relevant outputs and is similar to the Linux tool TCPdump.
This tool was created to resolve various issues in the Linux tool TCPdump that significantly increased CPU load on Security Gateways.

Notes:

CPPCAP is supported only on Gaia OS in the 64-bit mode (default in R80.40 and higher).
CPPCAP also captures traffic that is accelerated in SecureXL.

Re: Sniffers in VSX environments

the_rock — Fri, 21 Mar 2025 21:26:16 GMT

Either one works fone from my personal experience.

Andy

https://support.checkpoint.com/results/sk/sk141412

Re: Sniffers in VSX environments

Matlu — Fri, 21 Mar 2025 22:36:17 GMT

Hey,

So, if I were to use tcpdump instead of “cppcap”, the syntax in a VSX environment, would be something like this?

tcpdump -o capturenam.pcap -v 2 -i bond2.1095 -f “ host 192.168.20.100 and host 10.100.20.10”

The parameters like “-f” and “-v” are kept?

Because the idea is to apply the command from VS0 and capture the traffic from the VS 2 instance.

Thanks for the comments.

Re: Sniffers in VSX environments

Bob_Zimmerman — Fri, 21 Mar 2025 23:01:07 GMT

To run a tcpdump from VS0 capturing traffic in VS2, you would use this:

ip netns exec CTX00002 tcpdump -i bond2.1095 -w capturename.pcap host 192.168.20.100 and host 10.100.20.10

No -v switch, no switch needed for the filter, and the file to write is specified with -w instead of -o.

Re: Sniffers in VSX environments

Matlu — Fri, 21 Mar 2025 23:24:08 GMT

Hello.

This part of the command #ip netns exec CTX00002 tcpdump -i bond2.1095 .... I understand that “CTX00002” is the name VS 2?

If it were a different VS ID like 6, it is replaced by CTX00006?

Or am I misunderstanding the information?

Re: Sniffers in VSX environments

the_rock — Fri, 21 Mar 2025 23:29:45 GMT

You got it.