Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

New Tool: CPPCAP

TCPDUMP is a Linux tool which at times is not suitable for use with Gaia.

Specifically, it can use a noticeable amount of CPU.

Check Point created a tool which works better with Gaia OS: CPPCAP

'CPPCAP' is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump.

The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM.

You can download this tool for R77.30, R80.10, and R80.20 and get more details here: Running TCPDUMP causes high CPU usage 

24 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi Dameon,

Must SecureXL disabeld (fwaccel off) to use this tool with R80.20?

And how‘s that with R80.10 and R77.30?

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
PhoneBoy
Admin
Admin

Not that I know of.

Aviad_Hadarian
Employee
Employee

Heiko Ankenbrand‌, SecureXL can be enabled or disabled.

RickHoppe
Advisor

Currently trying cppcap out on R80.10 JHF Take 167. I see only "Out" in my packet capture when SecureXL is turned off. When SecureXL is enabled I only see "In". So on pre-R80.20 machines the advise seems to be to turn off SecureXL when using cppcap.

My blog: https://checkpoint.engineer
0 Kudos
Mike_A
Advisor

Will this eventually be released to install via CPUSE? 

*** EDIT ***

Just to add, I see the CPUSE Identifier in the SK, the question is about the publish of this update in CPUSE without having to use the identifier, just like other Recommended updates. 

Thanks!

PhoneBoy
Admin
Admin

I assume we will push it as a recommended update after we get some good feedback Smiley Happy

0 Kudos
Mike_A
Advisor

One positive thing I've seen so far is the file size being included, not just the number of packets captured! 

-bash-3.1# cppcap -DNT host 10.0.10.79 -o /var/tmp/mike.pcap
934 packets captured (75.719 KB)

JozkoMrkvicka
Mentor
Mentor

Grave_Rose
Collaborator

Thanks for tagging this for me, Jozko Mrkvicka‌ Looks like it's time to play around and add a new module. Smiley Happy I'll get this going through the week (hopefully) and update the tcpdump101.com thread once it's done.

Grave_Rose
Collaborator

I've added the 'cppcap' module to https://tcpdump101.com and updated the main Check Mates thread here https://community.checkpoint.com/thread/9013-tool-httpstcpdump101com for anyone who wants to discuss more. Smiley Happy

Martin_Valenta
Advisor

Is it planned to be pre-installed on newer version of ISO images ? 

Jelle_Hazenberg
Collaborator
Collaborator

Hi,

Looks like a nice tool... But its only for gateways that use a 64-bit Kernel...

Unsupported kernel version (Only 64-bit is supported)

Maybe this is worth mentioning in the discussion / SK

Regards,

Jelle

PhoneBoy
Admin
Admin

Will ask the SK team to add this to the limitations.

That said, I would think 32-bit is rare at this point as 64bit is required to run with more than 4-6GB of RAM.

Harald_Hansen
Advisor
Advisor

Also ask them to fix the syntax error in the example ...

cppcap –f "arp and host XXX.XXX.XXX.XXX" -DNT –o /var/log/capture.pcap

Dash before the first 'f' and 'o'.

Edit: the text contains the dash, though on screen it is invisible (at least in Safari).

0 Kudos
Sean_Van_Loon
Contributor

Received notification from SK team that SK has been modified: "Note: The tool is supported only on 64 bit OS."

0 Kudos
Robert_Canis
Participant

I've always used fw monitor over tcpdump. 

What exactly does this new tool, or tcpdump get you over fw monitor? 

0 Kudos
PhoneBoy
Admin
Admin

A couple of benefits:

  • You can actually save the packet captures
  • You can see traffic that doesn't traverse the firewall (i.e. broadcast or ARP traffic)
Robert_Canis
Participant

you can save fw monitor captures with the -o option, so now we're down to just seeing broadcast traffic.

Václav_Brožík
Collaborator

fw monitor can save the packet captures (in the snoop format) and show traffic that doesn't traverse the firewall including broadcasts (at the "i" position). It just does not capture non-IP traffic.

clear advantages of tcpdump:

  • captures Ethernet headers (i.e. it captures MAC addresses, VLAN tags etc.)
  • captures non-IP traffic (i.e. ARP, LACP, STP...)
  • filters by Ethernet headers (MAC addresses, VLAN tags, non-IP protocols...)
  • AFAIK works with fwaccel on
  • AFAIK captures the frames before entering and after leaving the FW kernel modules (useful for special troubleshooting)

case by case advantages:

  • more widely used filter syntax (pcap library)
  • more widely used capture file format (pcap)

There are of course also multiple advantages of fw monitor over tcpdump.

As I understood cppcap should be able to do the same as tcpdump but with using less resources.

Unfortunately currently cppcap has limitations - see Limitations of cppcap

0 Kudos
Hugo_vd_Kooij
Advisor

I have to upload a bunch of core dumps of the cppcap daemon.

Not sure what triggered them. I just noticed them when I did investigated something else.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Matthias_Kring
Contributor

What's the meaning of "IPP 6" in the output line?

e.g.

09:27:52.99817 Out [eth1] 192.168.105.101:25 > 192.168.253.19:1039, IPP 6

0 Kudos
RickHoppe
Advisor

IPP 6 is Protocol Number 6. Protocol Number 6 is TCP. You can expect IPP 17 when it is UDP. See Protocol Numbers  for a complete list.

In your example this means there was traffic sent from 192.168.105.101 to 192.168.253.19 on port TCP/1039. It might be return traffic for SMTP (TCP/25) as the source port is 25.

My blog: https://checkpoint.engineer
Sven_Glock
Advisor

As you have to install CPPCAP manually after every fresh installation until R80.40 I decided to create a small SmartConsole Repository Script to get this job done.
More details you will find here: SmartConsole-Scripts-Repository-use-cases-and-experience 

I hope it makes it easier for you guys to start working with CCPCAP.

 

Cheers

Sven

 

 

0 Kudos
Oleg_Ershov
Explorer

How to use it on 60000? "tcpdump -mcap" can capture traffic on all or selected blades.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events