cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Admin
Admin

New Tool: CPPCAP

TCPDUMP is a Linux tool which at times is not suitable for use with Gaia.

Specifically, it can use a noticeable amount of CPU.

Check Point created a tool which works better with Gaia OS: CPPCAP

'CPPCAP' is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump.

The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM.

You can download this tool for R77.30, R80.10, and R80.20 and get more details here: Running TCPDUMP causes high CPU usage 

22 Replies

Re: New Tool: CPPCAP

Hi Dameon,

Must SecureXL disabeld (fwaccel off) to use this tool with R80.20?

And how‘s that with R80.10 and R77.30?

Regards

Heiko

0 Kudos
Admin
Admin

Re: New Tool: CPPCAP

Not that I know of.

Employee
Employee

Re: New Tool: CPPCAP

Heiko Ankenbrand‌, SecureXL can be enabled or disabled.

RickHoppe
Silver

Re: New Tool: CPPCAP

Currently trying cppcap out on R80.10 JHF Take 167. I see only "Out" in my packet capture when SecureXL is turned off. When SecureXL is enabled I only see "In". So on pre-R80.20 machines the advise seems to be to turn off SecureXL when using cppcap.

Blog: https://checkpoint.engineer
0 Kudos
Mike_A
Copper

Re: New Tool: CPPCAP

Will this eventually be released to install via CPUSE? 

*** EDIT ***

Just to add, I see the CPUSE Identifier in the SK, the question is about the publish of this update in CPUSE without having to use the identifier, just like other Recommended updates. 

Thanks!

Admin
Admin

Re: New Tool: CPPCAP

I assume we will push it as a recommended update after we get some good feedback Smiley Happy

0 Kudos
Mike_A
Copper

Re: New Tool: CPPCAP

One positive thing I've seen so far is the file size being included, not just the number of packets captured! 

-bash-3.1# cppcap -DNT host 10.0.10.79 -o /var/tmp/mike.pcap
934 packets captured (75.719 KB)

JozkoMrkvicka
Platinum

Re: New Tool: CPPCAP

Grave_Rose
Copper

Re: New Tool: CPPCAP

Thanks for tagging this for me, Jozko Mrkvicka‌ Looks like it's time to play around and add a new module. Smiley Happy I'll get this going through the week (hopefully) and update the tcpdump101.com thread once it's done.

Highlighted
Grave_Rose
Copper

Re: New Tool: CPPCAP

I've added the 'cppcap' module to https://tcpdump101.com and updated the main Check Mates thread here https://community.checkpoint.com/thread/9013-tool-httpstcpdump101com for anyone who wants to discuss more. Smiley Happy

Re: New Tool: CPPCAP

Is it planned to be pre-installed on newer version of ISO images ? 

Re: New Tool: CPPCAP

Hi,

Looks like a nice tool... But its only for gateways that use a 64-bit Kernel...

Unsupported kernel version (Only 64-bit is supported)

Maybe this is worth mentioning in the discussion / SK

Regards,

Jelle

Admin
Admin

Re: New Tool: CPPCAP

Will ask the SK team to add this to the limitations.

That said, I would think 32-bit is rare at this point as 64bit is required to run with more than 4-6GB of RAM.

Re: New Tool: CPPCAP

Also ask them to fix the syntax error in the example ...

cppcap –f "arp and host XXX.XXX.XXX.XXX" -DNT –o /var/log/capture.pcap

Dash before the first 'f' and 'o'.

Edit: the text contains the dash, though on screen it is invisible (at least in Safari).

0 Kudos

Re: New Tool: CPPCAP

Received notification from SK team that SK has been modified: "Note: The tool is supported only on 64 bit OS."

0 Kudos

Re: New Tool: CPPCAP

I've always used fw monitor over tcpdump. 

What exactly does this new tool, or tcpdump get you over fw monitor? 

0 Kudos
Admin
Admin

Re: New Tool: CPPCAP

A couple of benefits:

  • You can actually save the packet captures
  • You can see traffic that doesn't traverse the firewall (i.e. broadcast or ARP traffic)

Re: New Tool: CPPCAP

you can save fw monitor captures with the -o option, so now we're down to just seeing broadcast traffic.

0 Kudos

Re: New Tool: CPPCAP

fw monitor can save the packet captures (in the snoop format) and show traffic that doesn't traverse the firewall including broadcasts (at the "i" position). It just does not capture non-IP traffic.

clear advantages of tcpdump:

  • captures Ethernet headers (i.e. it captures MAC addresses, VLAN tags etc.)
  • captures non-IP traffic (i.e. ARP, LACP, STP...)
  • filters by Ethernet headers (MAC addresses, VLAN tags, non-IP protocols...)
  • AFAIK works with fwaccel on
  • AFAIK captures the frames before entering and after leaving the FW kernel modules (useful for special troubleshooting)

case by case advantages:

  • more widely used filter syntax (pcap library)
  • more widely used capture file format (pcap)

There are of course also multiple advantages of fw monitor over tcpdump.

As I understood cppcap should be able to do the same as tcpdump but with using less resources.

Unfortunately currently cppcap has limitations - see Limitations of cppcap

0 Kudos

Re: New Tool: CPPCAP

I have to upload a bunch of core dumps of the cppcap daemon.

Not sure what triggered them. I just noticed them when I did investigated something else.

0 Kudos

Re: New Tool: CPPCAP

What's the meaning of "IPP 6" in the output line?

e.g.

09:27:52.99817 Out [eth1] 192.168.105.101:25 > 192.168.253.19:1039, IPP 6

0 Kudos
RickHoppe
Silver

Re: New Tool: CPPCAP

IPP 6 is Protocol Number 6. Protocol Number 6 is TCP. You can expect IPP 17 when it is UDP. See Protocol Numbers  for a complete list.

In your example this means there was traffic sent from 192.168.105.101 to 192.168.253.19 on port TCP/1039. It might be return traffic for SMTP (TCP/25) as the source port is 25.

Blog: https://checkpoint.engineer