topic Re: Using Wireshark to capture packets on Firewall using standard out. in Firewall and Security Management

Using Wireshark to capture packets on Firewall using standard out.

KlowikiOne — Fri, 31 Mar 2023 08:27:42 GMT

Wireshark Live Capture From Check Point Firewall directly to your PC

Note: If a Jump box is required in your environment you need to run command from the jump box.

Standard Warning applies, Do not run a capture of any kind in this manner on an loaded firewall. No CPU over 70% should be safe however after-hours is best. Theoretically this type of capture will reduce CPU utilization by relieving the need to write a file. No download needed. The capture will automatically close when the capture is stopped. Ensure you have the bandwidth available to copy traffic. Filters also work in the command line.

ssh admin@192.168.199.22 "tcpdump -s0 -w - -i eth0" | "c:/program files\wireshark\wireshark.exe" -k -i -

I tried many different commands and command shells before I got the traffic redirects to work.

Cygwin did not work

Mobaxterm did not work

Openssh in Cygwin did not work

Almost every search in google for using stdout to push firewall traffic to the PC for Wireshark to use stdin to see live traffic in real time did not work. I found no references to use the good old command window and openssh.

Openssh as the command line that will open an ssh session over port 22 to the firewall. Tcpdump to redirect the filtered traffic over the tcp encrypted ssh tunnel session on port 22 back to the workstation in raw format. Wireshark to receive the stdout via stdin and display to the screen in real time. Amazing stuff.

Re: Using Wireshark to cpature packets on Firewall using standard out.

PhoneBoy — Tue, 07 Mar 2023 19:54:57 GMT

This is quite clever and well done on figuring it out.
You mind if I move this to a more public space?

Re: Using Wireshark to cpature packets on Firewall using standard out.

Danny — Tue, 07 Mar 2023 19:59:41 GMT

Thanks for this!

Re: Using Wireshark to cpature packets on Firewall using standard out.

KlowikiOne — Tue, 07 Mar 2023 21:50:35 GMT

I do not mind. Time for public critique. 🙂

Re: Using Wireshark to cpature packets on Firewall using standard out.

PhoneBoy — Tue, 07 Mar 2023 23:28:16 GMT

Done, moved out to Security Gateways.

Re: Using Wireshark to capture packets on Firewall using standard out.

the_rock — Wed, 08 Mar 2023 00:53:20 GMT

Good tip 👍

Re: Using Wireshark to capture packets on Firewall using standard out.

Timothy_Hall — Wed, 08 Mar 2023 02:19:41 GMT

Yep a neat trick and well done! Here is how I got to the same place awhile back through a different means but I found a number of caveats (the "timeout" one is more precautionary than anything as I saw some stuck tcpdump processes); here is the relevant lecture content along with the lab exercise from my Max Capture: Know Your Packets self-guided video:

Re: Using Wireshark to capture packets on Firewall using standard out.

KlowikiOne — Wed, 08 Mar 2023 05:43:34 GMT

I added a ram disk as a destination for debugs and realized a 60% reduction in CPU utilization on SND cores compared to the same debug writing to disk. This was in a production environment at 3am in the morning but still worked well. Might be worth further testing for packet captures.

Process Example is using the ram disk as a destination for tcpdump.

Process

#/*Make sure there is enough space. Memory swap does still work to disk if you go over the amount available. Ramfs does not support swap. */

#free -g

total used free shared buff/cache available

Mem: 15 8 0 1 6 5

Swap: 31 1 29

#/* Create the location the new disk will mount. */

#mkdir /mnt/rmdisk

#/* Mount the ram as tmpfs and specify amount of ram to use and where to mount it. */

#mount -t tmpfs -o size=4g tmpfs /mnt/rmdisk

#/* You can cd into the directory and use it as a normal disk. Remember this is volatile memory and will be erased on reboot or dismount. For Example: tcpdump. */

#tcpdump -enni any -w /mnt/rmdisk/dumpme.pcap

I am also investigating using tar files for tcpdump destinations for reducing CPU utilization. The whole Idea is to minimize the hardware interrupt for DMA for transfers from RAM to Disk. The process is slower than compressing data via cpu and a tar file. Sounded like a good idea anyway.

Thank you everyone for your replies and kudos.

Re: Using Wireshark to capture packets on Firewall using standard out.

Timothy_Hall — Wed, 08 Mar 2023 12:36:24 GMT

One other way to reduce CPU load I was investigating for live Wireshark captures was using cppcap instead of tcpdump for these live captures, as cppcap doesn't seem to cause nearly as much overhead as tcpdump which is the tool's main intent. However I confirmed with the tool's author @Aviad_Hadarian that cppcap does not have the option to output raw packets to the stdout, but if it did I think that would be very helpful to reduce live capture overhead. Might it be possible for cppcap to write its raw packet output to a named pipe (FIFO) via -o instead of a regular file, then have some intermediate process such as dd read that named pipe, dump it to its stdout and directly into Wireshark's stdin?

Also apparently having stuck tcpdump processes executing in the background running up CPU load on the Dispatcher cores has occurred often enough to cause the following recent SK to be created: sk172886: Multiple ksoftirqd processes show high CPU use

Re: Using Wireshark to capture packets on Firewall using standard out.

Bob_Zimmerman — Thu, 30 Mar 2023 21:12:06 GMT

Some OpenSSH options can help this work through jump servers in the path. Specifically, check out the ProxyJump option in ssh_config(5). It uses port forwarding on a jump server to let the client connect "directly" to the end destination. Notably, this doesn't expose any key material to the jump server in the path (unlike SSH agent forwarding).

A few other options can get similar results.

Re: Using Wireshark to capture packets on Firewall using standard out.

HeikoAnkenbrand — Thu, 30 Mar 2023 22:21:01 GMT

Very nice solution!

If you add "not port 22", you will no longer see your own ssh packages.

ssh admin@1.1.1.1 "tcpdump -s0 -w - -i eth0 not port 22" | "c:/program files\wireshark\wireshark.exe" -k -i -

Re: Using Wireshark to capture packets on Firewall using standard out.

KlowikiOne — Fri, 28 Apr 2023 20:09:57 GMT

Do you know of a way to start multiple tcpdumps in a single session? I would love to see checkpoint permit "screen" to operate. I would also like to see and updated ethtool.

Re: Using Wireshark to capture packets on Firewall using standard out.

the_rock — Fri, 28 Apr 2023 21:34:00 GMT

@KlowikiOne Well, since you are a CP employee, your best bet for those things is to verify with R&D. Personally, I never heard of a way to start multiple tcpdumps in a single session.

Re: Using Wireshark to capture packets on Firewall using standard out.

Timothy_Hall — Fri, 28 Apr 2023 22:04:56 GMT

If you need to capture on all interfaces with tcpdump, just use an interface name of "any" but be careful as that can impact the performance of the firewall. You could also use cppcap with the "-I (interface)" option that will capture traffic on all interfaces except the named (interface) as opposed to using "-i" for the interface specification. ethtool was updated in Gaia 3.10. All this was covered in my 'Max Capture: Know Your Packets" course.

Re: Using Wireshark to capture packets on Firewall using standard out.

the_rock — Fri, 28 Apr 2023 22:10:00 GMT

Check out site my colleague made while back on capturing with all major vendors, hope it helps you.

Andy

https://tcpdump101.com/#

Re: Using Wireshark to capture packets on Firewall using standard out.

KlowikiOne — Mon, 01 May 2023 12:58:27 GMT

I actually use this site to formulate the command line to use with tcpdump and cppcap. I find having customers use this is a helpful learning tool.

Re: Using Wireshark to capture packets on Firewall using standard out.

KlowikiOne — Mon, 01 May 2023 13:01:27 GMT

I avoid using the any interface, however I do like cppcap option to capture on any interface except flag.

Re: Using Wireshark to capture packets on Firewall using standard out.

the_rock — Mon, 01 May 2023 13:31:45 GMT

My colleague made that site in order to actually help anyone struggling with packet captures and debugs...we all been there mate, whether we want to admit ot ir not 😂

Re: Using Wireshark to capture packets on Firewall using standard out.

the_rock — Mon, 01 May 2023 13:32:23 GMT

Thats good point, BUT, sometimes, if you dont know what interface to use, you have to use any...

Re: Using Wireshark to capture packets on Firewall using standard out.

Bob_Zimmerman — Mon, 01 May 2023 14:49:22 GMT

There's not a good way to. Multiple SSH sessions are basically free, though (no more overhead than a single connection carrying all the same data).