This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KernelGordon
Employee Alumnus
Employee Alumnus
‎2020-01-07 10:07 PM

packet_captures.sh - Packet Captures for Dummies

 

What is packet_captures.sh?

packet_capture.sh is an open-source community tool which simplifies the way to collect:

1) tcpdump captures

2) FW Monitor captures

3) Kernel Debugs *ALWAYS during a maintenance window*

More functionality coming when I stop being lazy!

 

The main benefits are:

  • All captures and/or debugs are taken at the same time.
  • All captures and/or debugs are zipped into a single .tgz to be pulled from the device
  • No need to remember tcpdump or FW Monitor syntax

 

packet_captures.sh source code - HERE.

How to use it?

  1. Put Script on GW
  2. Run the following commands from expert mode:
    dos2unix packet_captures.sh
    chmod +x packet_captures.sh
    ./packet_captures.sh

Usage ./packet_captures.sh [-s <source IP>] [-d <destination IP>] [-p <port>] [-t] [-f] [-k]

Flag Description
-s Used to specify source IP for filtering tcpdump and FW Monitor captures. Multiple source IPs can be entered, each IP must be entered in [-s <source IP>] format
-d Used to specify destination IP for filtering tcpdump and FW Monitor captures. Multiple destination IPs can be entered, each IP must be entered in [-d <destination IP>] format
-p Used to specify port for filtering tcpdump and FW Monitor captures. Multiple ports can be entered, each port must be entered in [-p <port>] format
-t Tells script to take a tcpdump on all relevent interfaces based on IPs provided with -s and -d flags. Tcpdump will be filtered according to source IP(s), dedstination IP(s), and port(s) provided to script.
-f Tells script to take a FW Monitor capture. SecureXL will be disabled for captures on versions R80.10 and below. FW Monitor will be filtered according to source IP(s), dedstination IP(s), and port(s) provided to script.
-k Tells script to take Kernel Debugs. Entering only -k flag will default to debugging the fw module with the drop flag (fw ctl debug -m fw + drop). You can select the module and flags that you want to debug by running the -k flag followed by the module and flags in double-quotes like so: -k "-m fw + drop".

*DISCLAIMER - This open source tool is provided “As Is”.  No representations or warranties are provided with the use of this tool.

3 Replies
Danny
Champion Champion
Champion
‎2020-01-07 10:29 PM

Your code says:

# FW Monitor syntax changed from R80.20 take 76 onwards
#TODO: Create different FW Monitor filters for new and old syntax.

Well, R80.30 doesn't feature the new simple capture filter (yet), so you need to check whether the system actually features the new -F syntax independently from the version. Also while -F may be available the end user should still be allowed to use the traditional -e  command if he/she wants to as this is still supported and may just require disabling of ClusterXL while running fw monitor.

I like your efforts in this project and I'm also working on a similar one called: FW Monitor SuperTool

0 Kudos
KernelGordon
Employee Alumnus
Employee Alumnus
‎2020-01-09 02:48 PM
In response to Danny

Thanks for the input on the script. I added a check for the new FW Monitor syntax with the '-F' flag  as well as an error message to alert users when they have run the script will enough IPs and ports to generate over 5 filters.

The new '-F' flag is very limiting compared to the old '-e' syntax as it can only handle 5 filters and it forces them to all be logical OR...

I'm really interested in your SuperTool and some of the other scripts you've written. I've learned a little from just going over them. 😁

0 Kudos
Daniel_
Advisor
‎2020-12-10 11:08 PM

Maybe you can modify your script to check if cppcap is available and use this instead of tcpdump?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events