https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86139#M6645 <P>hey.</P><P>for inconstant problems which we need to run wireshark / fw monitor to get a packet capture form the FW.. how do you run this in a way that will keep the fw "safe from crush" and without being connected to the FW.</P><P>thanks</P><P>dor</P> Sun, 24 May 2020 07:08:00 GMT Dor_Marcovitch 2020-05-24T07:08:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86139#M6645 <P>hey.</P><P>for inconstant problems which we need to run wireshark / fw monitor to get a packet capture form the FW.. how do you run this in a way that will keep the fw "safe from crush" and without being connected to the FW.</P><P>thanks</P><P>dor</P> Sun, 24 May 2020 07:08:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86139#M6645 Dor_Marcovitch 2020-05-24T07:08:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86161#M6646 <P>For long-running captures I'd suggest using cppcap:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk141412&amp;partition=Advanced&amp;product=Security" target="_blank" rel="noopener">sk141412: Running tcpdump causes high CPU usage - Introducing <STRONG>cppcap</STRONG></A></P> <P>Use of <STRONG>fw monitor</STRONG> for long-running captures is potentially more likely to impact firewall performance since it is essentially "in line" with the chain module sequences (<STRONG>fw ctl chain</STRONG>), and also if someone reinstalls policy to the gateway while an <STRONG>fw monitor</STRONG> is running, the capture will be automatically terminated due to the chain sequences being rebuilt as part of the installation process.</P> Sun, 24 May 2020 18:22:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86161#M6646 Timothy_Hall 2020-05-24T18:22:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86166#M6647 <P>TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Running TCPDUMP causes a significant increase in CPU usage and as a result impact the performance of the device. Even while filtering by specific interface or port still high CPU occurs. Check Point created a tool which works better with Gaia OS.</P> <P>"CPPCAP" is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump. The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM. The good news!&nbsp;<SPAN style="color: #333333; background-color: #ffffff;"><SPAN style="color: #ff0000;"><STRONG>SecureXL can be enabled</STRONG></SPAN> or disabled to capture with CPPCAP.</SPAN></P> <P><SPAN style="color: #333333; background-color: #ffffff;">More read here:<BR /><A href="https://community.checkpoint.com/docs/DOC-3406-r80x-performance-tuning-and-debug-tips-tcpdump-vs-cppcap" target="_blank" rel="noopener">- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP</A><BR /></SPAN></P> Sun, 24 May 2020 18:15:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86166#M6647 HeikoAnkenbrand 2020-05-24T18:15:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86256#M6658 There's also the "set up a mirror port on your switch" option and running a packet capture on a machine connected to said mirror port.<BR />That obviously requires having a switch where that is possible and having an extra machine. Mon, 25 May 2020 19:32:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Wrieshark-run-for-long-period/m-p/86256#M6658 PhoneBoy 2020-05-25T19:32:25Z