topic Re: [tool] - https://tcpdump101.com in General Topics

[tool] - https://tcpdump101.com

Grave_Rose — Fri, 24 Aug 2018 15:17:05 GMT

Hopefully self-promotion isn't frowned upon but I was suggested to post here. Over the past few years, I've been working on a tool to help people capture packets by allowing users to have a web-based interface to create the commands for them. Today, I've launched the latest version into production which supports "fw monitor" as well as "fw ctl debug" commands. It's located here: https://tcpdump101.com

I'm posting this in the hopes that people will find it useful (it supports tcpdump as well as other vendors) and maybe get some feedback from the community. If you use it, let me know if you find it handy, what you'd like to see improved and if you have any other suggestions.

Thanks,

Sean (Gr@ve_Rose)

Re: [tool] - https://tcpdump101.com

HeikoAnkenbrand — Fri, 24 Aug 2018 17:44:12 GMT

Hi Sean,

I like to program web apps myself. It must have been a lot of work. I like this tool.

Great work!

Regards

Heiko

Re: [tool] - https://tcpdump101.com

Grave_Rose — Fri, 24 Aug 2018 18:28:14 GMT

Thanks Heiko Ankenbrand‌. It took almost three years to get to this point and I'm looking forward to improving it more. I'm always open to suggestions from people to make it better as well so if you use it (or know people who would use it) and have ideas, please let me know.

Sean

Re: [tool] - https://tcpdump101.com

JozkoMrkvicka — Fri, 24 Aug 2018 19:34:35 GMT

Re: [tool] - https://tcpdump101.com

Grave_Rose — Fri, 24 Aug 2018 19:42:27 GMT

Re: [tool] - https://tcpdump101.com

PhoneBoy — Sat, 25 Aug 2018 00:31:44 GMT

I saw someone else mention the tool in the CheckMates en Français‌ section, glad you posted about it in English.

Re: [tool] - https://tcpdump101.com

Grave_Rose — Sat, 25 Aug 2018 01:42:32 GMT

I have to say that even as a Canadian, my French still isn't on par to where it should be. In all seriousness, though, I'm glad it's helping people out. I've been fortunate to have learned from good people throughout my years and now it's my turn to give something back. I'm looking forward to adding more features which (hopefully) won't take another three years for a major release.

Re: [tool] - https://tcpdump101.com

JozkoMrkvicka — Sat, 25 Aug 2018 08:28:38 GMT

Maybe you can add options into fw monitor to specify source, destionation, port ? And also opposites - like not source, not destination,...

The same for tcpdump

There are tons of parameters available in both cases which can be added into next release

Re: [tool] - https://tcpdump101.com

Grave_Rose — Sat, 25 Aug 2018 11:41:36 GMT

They're already there - That's the point of the tool. On any module (tcpdump, fw monitor, fw ctl debug), use the right-hand side to create your filters. Use the drop-down box that is under "Filter Option" to get started and use "Add New Filter Option" to create a new one. Once the filters are created, your full PCap/Debug command appears at the top. You can then use the "Copy Command" or "Highlight Command" to get your command to paste into a terminal.

Re: [tool] - https://tcpdump101.com

JozkoMrkvicka — Sat, 25 Aug 2018 13:26:27 GMT

Sorry, wasnt aware about it as I am using mobile to check it

But anyway, in case your filter is setup and you realized you did mistake in IP, it will add new condition instead of correct the wrong one:

Re: [tool] - https://tcpdump101.com

Grave_Rose — Sat, 25 Aug 2018 13:46:46 GMT

Good catch! Thanks for letting me know. I'll try to fix this bug before Monday (hopefully) and will update again.

Re: [tool] - https://tcpdump101.com

Vladimir — Sat, 25 Aug 2018 20:06:06 GMT

Sean,

Thank you for the excellent tool.

I believe there are two more options that should be included for the Chain Position Options: "e" and "E"

Regards,

Vladimir

Re: [tool] - https://tcpdump101.com

JozkoMrkvicka — Sat, 25 Aug 2018 22:20:23 GMT

But these 2 Chains are only in R80, so maybe just simple chexbox to tick if user will run fw monitor on R80 would be enough.

Re: [tool] - https://tcpdump101.com

Vladimir — Sat, 25 Aug 2018 23:20:33 GMT

Good option.

May be include the "fwaccel off; " at the beginning of the string as another?

Re: [tool] - https://tcpdump101.com

HeikoAnkenbrand — Sun, 26 Aug 2018 06:16:26 GMT

Right, but in general I don't recommend doing this on a production firewall the performance impact can be noticeable. I would always recommend disabling SecureXL selectively for the IP addresses you want to capture ahead of time, then you can use tcpdump and/or fw monitor to see all inbound and outbound traffic:

sk104468: How to disable SecureXL for specific IP addresses

Regards

Heiko

Re: [tool] - https://tcpdump101.com

Vladimir — Sun, 26 Aug 2018 13:45:26 GMT

Thank you Heiko!

I was not aware of this sk and, in my experience, even TAC consistently resorts to using blanket "fwaccel off" during troubleshooting.

Can anyone chime in if there is a way to achieve the same selective acceleration manipulation without policy installation in R80.++?

Re: [tool] - https://tcpdump101.com

Grave_Rose — Mon, 27 Aug 2018 00:13:32 GMT

Hey folks... I've patched the bug and the "fw monitor" portion now edits the proper filter instead of always editing the last one. Thanks to Jozko Mrkvicka‌ for reporting this to me. I owe you one Internet beer.

Re: [tool] - https://tcpdump101.com

Grave_Rose — Mon, 27 Aug 2018 00:25:47 GMT

Thanks for the kind words, Vladimir Yakovlev‌. I like your idea of adding in the "eE" inspection options as well as putting some sort of switch for versioning that the users can select. Adding the "eE" should be pretty quick and, for now, I think I'll put a note on them to let people know that these are R80 switches only. In a future major release, I'll probably have some sort of R80.xx/R7X.xx switch that will hide and display different options.

With regards to putting in the command for disabling SecureXL at the start, I've added a note in the module that people can turn it off if they want to. I don't want to have "fwaccel off" at the start of the command in case it causes issues for people. By having the note there, it's an active choice the user makes themselves - Not me making the choice for them. As goofy and paranoid as this may sound, it makes me a little less responsible if they bring down their firewall by disabling acceleration. I do have a few warnings (including on the splash page, the module itself and the Help section) about people being responsible for their own actions but in todays day and age, you can never be too careful.

Thanks again for the ideas! Keep your eyes open since the "eE" chains will be in soon-ish.

Sean (Gr@ve_Rose)

Re: [tool] - https://tcpdump101.com

Vladimir — Mon, 27 Aug 2018 01:48:50 GMT

Totally dig the caution in choosing what to include for auto execution.

Re: [tool] - https://tcpdump101.com

JozkoMrkvicka — Mon, 27 Aug 2018 06:19:54 GMT

No plan to add support for Juniper and Palo Alto ? I am not sure if these vendors has some specific in-build tools for traffic capturing like Check Point (fw monitor).