| What is CPPCAP? |
|---|
TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Running TCPDUMP causes a significant increase in CPU usage and as a result impact the performance of the device. Even while filtering by specific interface or port still high CPU occurs. Check Point created a tool which works better with Gaia OS.
| Chapter |
|---|
Architecture:
R80.x Security Gateway Architecture (Logical Packet Flow)
R80.x Security Gateway Architecture (Content Inspection)
R80.x Security Gateway Architecture (Acceleration Card Offloading)
R80.x Ports Used for Communication by Various Check Point Modules
Performance Tuning:
R80.x Performance Tuning Tip - AES-NI
R80.x Performance Tuning Tip - SMT (Hyper Threading)
R80.x Performance Tuning Tip - Multi Queue
R80.x Performance Tuning Tip - Connection Table
R80.x Performance Tuning Tip - fw monitor
R80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP
R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“
Cheat Sheet:
R80.x cheat sheet - fw monitor
R80.x cheat sheet - ClusterXL
More interesting articles:
Article list (Heiko Ankenbrand)
| CPPCAP |
|---|
Tip 1
"CPPCAP" is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump. The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM.
The good news! SecureXL can be enabled or disabled to capture with CPPCAP.
You can download this tool for R77.30, R80.10 and R80.20. Get more details here: sk141412
Instal and use:
On external Interface:
# cppcap -i eth2 -N |grep ICMP
Notes:
- To have all verbos information add "-DNT" to the syntax to filter out specific interface or VS by using capital letters.
- It will provide outputs on ARP IPV4/IPV6, TCP and UDP traffic. Dynamic routing information will not show all verbose information.
Tip 2
In and out (see red marked point in picture):
In - Is the incoming packet on the firewall on the inbound interface from the point of view of the first packet. It is simalary to fw monitor inspection point "i" client to server packet.
Out - Is the outgoing packet on the firewall on the inbound interface from the point of view of the first packet. It is simalary to fw monitor inspection point "O" server to client packet.
On the outgoing interface (see blue marked point in picture), the view is exactly inverse.
Tip 3
| Flag | Explanation |
| -vV VSID | lowercase to capture only from specific VSID, uppercase for all exec pt VSID |
| -iI DEVICE | lowercase to capture only from specific DEVICE, uppercase for all execpt DEVICE |
| -d DIR | capture specific direction ('in' for inbound, 'out' for outbound) |
| -f "EXPR" | filter specific expression, for syntax, see pcap-filter(7) |
| -o FILE | save capture to a FILE |
| -c NUM | capture up to NUM bytes of frame (default 96, '0' for any size) |
| -p NUM | capture NUM frames before stopping |
| -b NUM | capture NUM bytes before stopping |
| -D | verbose datalink layer |
| -N | verbose network layer |
| -T | verbose transport layer |
| -Q | omit time from output |
Copyright by Heiko Ankenbrand 1994-2019
