https://community.checkpoint.com/t5/Spark-Firewall-SMB/Monitor-mode-and-PCAP-on-Quantum-Spark-gateways/m-p/126568#M5509 <P>Hello,</P><P>The shared link points to a wiki.checkpoint.com URL, but the domain is not being resolved by DNS:</P><P>&gt; wiki.checkpoint.com<BR />Servidor: dns.google<BR />Address: 8.8.8.8</P><P>*** dns.google no encuentra wiki.checkpoint.com: Non-existent domain<BR />&gt;</P><P>And the sk number is present on&nbsp;supportcenter.checkpoint.com. So maybe you can fix the link.&nbsp;</P><P>Regards</P> Wed, 11 Aug 2021 13:36:18 GMT RS_Daniel 2021-08-11T13:36:18Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Monitor-mode-and-PCAP-on-Quantum-Spark-gateways/m-p/126527#M5506 <P><SPAN>Traffic capture on a SPARK appliance with the&nbsp;</SPAN><CODE>tcpdump</CODE><SPAN>&nbsp;tool on a port configured in the Monitor mode (SPAN) shows only broadcast and multicast packets. By default, acceleration is enabled on the SPARK appliances. The acceleration module does not send the traffic it inspected to the&nbsp;<CODE>tcpdump&nbsp;</CODE>tool.&nbsp;</SPAN><SPAN>To capture traffic on a monitor port's logical interface (brS-LAN&lt;x&gt;):</SPAN></P> <OL> <LI> <P>Configure all the applicable ports to work in monitor mode.</P> </LI> <LI> <P>Connect to the command line on the SPARK appliance.</P> </LI> <LI> <P>Log in to the Expert mode.</P> </LI> <LI> <P>Run:</P> <P><CODE>/opt/fw1/bin/cap_monitor_port.sh</CODE></P> </LI> <LI> <P>Capture the traffic with the&nbsp;<EM>tcpdump</EM>&nbsp;tool.</P> </LI> <LI> <P>To make this change persistent (to survive reboot), run this command in the Expert mode (do not change the syntax):</P> <P><CODE>echo /opt/fw1/bin/cap_monitor_port.sh &gt;&gt; /pfrm2.0/etc/userScript</CODE></P> </LI> </OL> <P>Notes:</P> <UL> <LI> <P>This command is available starting from R80.20.20.</P> </LI> <LI> <P>Traffic that is dropped by the Security Policy is not captured.</P> </LI> </UL> <P>For more information, check out&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk172286&amp;partition=Advanced&amp;product=Quantum" target="_blank" rel="noopener" data-linked-resource-id="403082184" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="cronjob.JPG" data-nice-type="Image" data-linked-resource-content-type="image/jpeg" data-linked-resource-container-id="323176871" data-linked-resource-container-version="389">sk172286</A></P> Wed, 11 Aug 2021 13:46:23 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Monitor-mode-and-PCAP-on-Quantum-Spark-gateways/m-p/126527#M5506 AntoinetteHodes 2021-08-11T13:46:23Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Monitor-mode-and-PCAP-on-Quantum-Spark-gateways/m-p/126568#M5509 <P>Hello,</P><P>The shared link points to a wiki.checkpoint.com URL, but the domain is not being resolved by DNS:</P><P>&gt; wiki.checkpoint.com<BR />Servidor: dns.google<BR />Address: 8.8.8.8</P><P>*** dns.google no encuentra wiki.checkpoint.com: Non-existent domain<BR />&gt;</P><P>And the sk number is present on&nbsp;supportcenter.checkpoint.com. So maybe you can fix the link.&nbsp;</P><P>Regards</P> Wed, 11 Aug 2021 13:36:18 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Monitor-mode-and-PCAP-on-Quantum-Spark-gateways/m-p/126568#M5509 RS_Daniel 2021-08-11T13:36:18Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Monitor-mode-and-PCAP-on-Quantum-Spark-gateways/m-p/126569#M5510 <P>Hi Daniel, it is fixed. Thanks</P> Wed, 11 Aug 2021 13:46:55 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Monitor-mode-and-PCAP-on-Quantum-Spark-gateways/m-p/126569#M5510 AntoinetteHodes 2021-08-11T13:46:55Z