This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
HeikoAnkenbrand
Champion
Champion
‎2018-12-02 10:21 AM

R80.x Performance Tuning and Debug Tips – TCPDUMP vs. CPPCAP

What is CPPCAP?


TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Running TCPDUMP causes a significant increase in CPU usage and as a result impact the performance of the device. Even while filtering by specific interface or port still high CPU occurs. Check Point created a tool which works better with Gaia OS.

Chapter

More interesting articles:

- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

CPPCAP

Tip 1 

"CPPCAP" is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump. The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM.

The good news! SecureXL can be enabled or disabled to capture with CPPCAP.

You can download this tool for R77.30, R80.10 and R80.20. Get more details here: sk141412

Instal and use:

  1. Download the RPM package (sk141412) and transfer the RPM package with winscp to appliance or open server.
  2. Install the RPM using the following command:
    # rpm -ivh --force --nodeps <RPM_FILE>
    # /etc/init.d/start_cppcap start
  3. Start cppcap to sniffing packages (for example on interface eth0 with parameter "N"):

    On internal Interface (example "ping 8.8.8.8" from client IP 10.1.2.1 to server IP 8.8.8.8)    :
    #     cppcap -i eth0 -N  |grep ICMP

        On external Interface:

        # cppcap -i eth2 -N  |grep ICMP

Notes:

- To have all verbos information add "-DNT" to the syntax to filter out specific interface or VS by using capital letters.
- It will provide outputs on ARP IPV4/IPV6, TCP and UDP traffic. Dynamic routing information will not show all verbose information.

Tip 2

In and out (see red marked point in picture):

In       - Is the incoming packet on the firewall on the inbound interface from the point of view of the first packet. It is simalary to fw monitor inspection point "i" client to server packet.

Out    - Is the outgoing packet on the firewall on the inbound interface from the point of view of the first packet. It is simalary to fw monitor inspection point "O" server to client packet.

On the outgoing interface (see blue marked point in picture), the view is exactly inverse.

Tip 3

Flag Explanation
 -vV VSID                    lowercase to capture only from specific VSID, uppercase for all exec pt VSID
 -iI DEVICE  lowercase to capture only from specific DEVICE, uppercase for all execpt DEVICE         
 -d DIR  capture specific direction ('in' for inbound, 'out' for outbound)
 -f "EXPR"  filter specific expression, for syntax, see pcap-filter(7)
 -o FILE  save capture to a FILE
 -c NUM  capture up to NUM bytes of frame (default 96, '0' for any size)
 -p NUM  capture NUM frames before stopping
 -b NUM  capture NUM bytes before stopping
 -D  verbose datalink layer
 -N  verbose network layer
 -T  verbose transport layer
 -Q  omit time from output

 

11 Replies
Highlighted
Maik_H_
Participant
‎2018-12-08 03:03 AM

Will this integated in the next jumbo hotfix for R80.10, R77.30?

Highlighted
Patricia_OSulli
Participant
‎2018-12-08 07:35 AM

great

Highlighted
Sean_Van_Loon
Contributor
‎2018-12-10 04:38 AM

FYI: As said in https://community.checkpoint.com/thread/10595-new-tool-cppcap the CPPCAP tool cannot be run on 32 bit systems, only on 64 bit systems.

Currently this is not written in the sk141412 

Update 11/12: SK team modified the SK, under solution it is now stated: "Note: The tool is supported only on 64 bit OS."

Highlighted
Nabeel_Saeed
Explorer
‎2019-02-02 01:08 PM

GREAT JOB!

Highlighted
Lee_SoonFat
Participant
‎2019-03-18 02:35 PM

Interresting information.

Is it also with fw monitor?

0 Kudos
Highlighted
Yonathan_Grunew
Participant
‎2019-07-10 01:17 PM

Great post!

After installing the RPM, trying to start it causes an error. why is that?

# rpm -ivh --force --nodeps /home/admin/Check_point_R80.20_cp_pcap_sk141412.rpm
Preparing... ########################################### [100%]
1:cp_pcap ########################################### [100%]
# /etc/init.d/start_cppcap start
insmod: error inserting '/lib/modules/cppcap/cppcap_kern_64.o': -1 Unknown symbol in module
Failed to find major number for cppcap

 

0 Kudos
Highlighted
pbanerjee
Explorer
‎2020-04-12 07:23 AM

I faces the same issue and I did this.....

Delete the file...

#rm -r /lib/modules/cppcap/cppcap_kern_64.o

Stop the service

#/etc/init.d/start_cppcap stop

Uninstall it

#rpm -e cp_pcap

======

Now just reinstall and start....

#rpm -ivh --force --nodeps Check_point_R80.30_3.10_cp_pcap_sk141412.rpm

#/etc/init.d/start_cppcap start

This time prompt cameout without any error.

Hope this helps.

--Pritam

0 Kudos
Highlighted
Aviad_Hadarian
Employee
Employee
‎2020-07-27 11:30 PM

Hi Heiko, I'm the author of cppcap,

You don't need to use grep icmp like "cppcap -i eth2 -N  |grep ICMP", for That you can simply run 'cppcap -i eth2 -N -f "icmp"'

0 Kudos
Highlighted
SerB
Explorer
2 weeks ago

Does anyone know why I receive duplicated traffic?

0 Kudos
Highlighted
_Val_
Admin
Admin
2 weeks ago

what do you mean, duplicated?

0 Kudos
Highlighted
SerB
Explorer
2 weeks ago

Like this one.

Preview file
54 KB
0 Kudos