Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Grave_Rose
Collaborator

[tool] - https://tcpdump101.com

Hopefully self-promotion isn't frowned upon but I was suggested to post here. Over the past few years, I've been working on a tool to help people capture packets by allowing users to have a web-based interface to create the commands for them. Today, I've launched the latest version into production which supports "fw monitor" as well as "fw ctl debug" commands. It's located here: https://tcpdump101.com

I'm posting this in the hopes that people will find it useful (it supports tcpdump as well as other vendors) and maybe get some feedback from the community. If you use it, let me know if you find it handy, what you'd like to see improved and if you have any other suggestions.

Thanks,

Sean (Gr@ve_Rose)

Overview of Check Point module in tcpdump101

84 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi Sean,

I like to program web apps myself. It must have been a lot of work. I like this tool.

Great work!

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
Grave_Rose
Collaborator

Thanks Heiko Ankenbrand‌. It took almost three years to get to this point and I'm looking forward to improving it more. I'm always open to suggestions from people to make it better as well so if you use it (or know people who would use it) and have ideas, please let me know.

Sean

JozkoMrkvicka
Mentor
Mentor

Kind regards,
Jozko Mrkvicka
Grave_Rose
Collaborator

PhoneBoy
Admin
Admin

I saw someone else mention the tool in the CheckMates en Français‌ section, glad you posted about it in English. Smiley Happy

Grave_Rose
Collaborator

I have to say that even as a Canadian, my French still isn't on par to where it should be. Smiley Happy In all seriousness, though, I'm glad it's helping people out. I've been fortunate to have learned from good people throughout my years and now it's my turn to give something back. I'm looking forward to adding more features which (hopefully) won't take another three years for a major release. Smiley Happy

_Val_
Admin
Admin

Because I have asked nicely 🙂

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Maybe you can add options into fw monitor to specify source, destionation, port ? And also opposites - like not source, not destination,...

The same for tcpdump Smiley Happy

There are tons of parameters available in both cases which can be added into next release Smiley Happy

Kind regards,
Jozko Mrkvicka
0 Kudos
Grave_Rose
Collaborator

They're already there - That's the point of the tool. Smiley Happy On any module (tcpdump, fw monitor, fw ctl debug), use the right-hand side to create your filters. Use the drop-down box that is under "Filter Option" to get started and use "Add New Filter Option" to create a new one. Once the filters are created, your full PCap/Debug command appears at the top. You can then use the "Copy Command" or "Highlight Command" to get your command to paste into a terminal.

JozkoMrkvicka
Mentor
Mentor

Sorry, wasnt aware about it as I am using mobile to check it Smiley Happy

But anyway, in case your filter is setup and you realized you did mistake in IP, it will add new condition instead of correct the wrong one:

Kind regards,
Jozko Mrkvicka
0 Kudos
Grave_Rose
Collaborator

Good catch! Thanks for letting me know. Smiley Happy I'll try to fix this bug before Monday (hopefully) and will update again. 

Grave_Rose
Collaborator

Hey folks... I've patched the bug and the "fw monitor" portion now edits the proper filter instead of always editing the last one. Thanks to Jozko Mrkvicka‌ for reporting this to me. I owe you one Internet beer. Smiley Happy

0 Kudos
Vladimir
Champion
Champion

Sean,

Thank you for the excellent tool.

I believe there are two more options that should be included for the Chain Position Options: "e" and "E"

Regards,

Vladimir

JozkoMrkvicka
Mentor
Mentor

But these 2 Chains are only in R80, so maybe just simple chexbox to tick if user will run fw monitor on R80 would be enough.

Kind regards,
Jozko Mrkvicka
0 Kudos
Vladimir
Champion
Champion

Good option.

May be include the "fwaccel off; " at the beginning of the string as another?

HeikoAnkenbrand
Champion Champion
Champion

Right, but in general I don't recommend doing this on a production firewall the performance impact can be noticeable.  I would always recommend disabling SecureXL selectively for the IP addresses you want to capture ahead of time, then you can use tcpdump and/or fw monitor to see all inbound and outbound traffic:

 

sk104468: How to disable SecureXL for specific IP addresses

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
Vladimir
Champion
Champion

Thank you Heiko!

I was not aware of this sk and, in my experience, even TAC consistently resorts to using blanket "fwaccel off" during troubleshooting.

Can anyone chime in if there is a way to achieve the same selective acceleration manipulation without policy installation in R80.++?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

I started a vote to the topic:

 

Regards,
Heiko

➜ CCSM Elite, CCME, CCTE
0 Kudos
Grave_Rose
Collaborator

Thanks for the kind words, Vladimir Yakovlev‌. I like your idea of adding in the "eE" inspection options as well as putting some sort of switch for versioning that the users can select. Adding the "eE" should be pretty quick and, for now, I think I'll put a note on them to let people know that these are R80 switches only. In a future major release, I'll probably have some sort of R80.xx/R7X.xx switch that will hide and display different options.

With regards to putting in the command for disabling SecureXL at the start, I've added a note in the module that people can turn it off if they want to. I don't want to have "fwaccel off" at the start of the command in case it causes issues for people. By having the note there, it's an active choice the user makes themselves - Not me making the choice for them. As goofy  and paranoid as this may sound, it makes me a little less responsible if they bring down their firewall by disabling acceleration. Smiley Happy I do have a few warnings (including on the splash page, the module itself and the Help section) about people being responsible for their own actions but in todays day and age, you can never be too careful.

Thanks again for the ideas! Keep your eyes open since the "eE" chains will be in soon-ish.

Sean (Gr@ve_Rose)

Vladimir
Champion
Champion

Totally dig the caution in choosing what to include for auto execution.

0 Kudos
Grave_Rose
Collaborator

Hey Vladimir Yakovlev‌ - I've updated the site and it now has options for pre-R80 and R80 with the latter having "eE" support as you mentioned. Thanks for the suggestion! Smiley Happy

0 Kudos
Vladimir
Champion
Champion

Thank you for the quick turnaround!

0 Kudos
Grave_Rose
Collaborator

For you, no charge. Smiley Happy While I was working on this, I actually found a bug and fixed it up so your suggestion helped out in more than one way. ::high five::

0 Kudos
Vladimir
Champion
Champion

Smiley Happy I'm not the one to skimp on beer dues!

0 Kudos
Vladimir
Champion
Champion

Sean,

If I may, I'd like to suggest few modifications to the UI:

1. Some of the fields are a dark-grey on a light-gray background, (i.e. "Not") and are in relatively small letters. Changing it to something with higher contrast and increasing their size may look better. Mouse-over does improve situation marginally, but not enough IMHO.

2. The individual filter fields are pretty large, relative to the information payload in each, forcing to scroll up and down more than warranted in a simple queries. May be adding "+" and "-" for appending or removing filters and reusing the rest of the same horizontal space will yield higher density.

3. Actual output on top is not immediately apparent and is too close to the separating line under it. Perhaps few more pixels in between and a code box will do some good.

4. The "Highlight Command" icon under it could be moved to the very right of the output, to be more aligned with other tools using same approach (as seen in Azure, for instance).

5. Instead of "highlight command", possibly "Copy"

6. Possibly adding "History" drop-down, to retrieve the commands and editable filters for modification and reuse.

7. Possibly adding "Favorites" tree with subsets with same functionality as "History".

8. Inverse process: paste command to generate filtered steps.

Sorry for being picky, but it is a great tool and I'd like to see it evolving in even a better one.

Regards,

Vladimir

Grave_Rose
Collaborator

Hey Vladimir - You're not being picky at all. This is the kind of feedback I'm looking for. Smiley Happy

On mobile right now so I apologize for the short reply. 

For points 1 and 2, I've already started working on a new layout which will hopefully look a little better but that is going to take some time.  

Item 3 has some good ideas. I like the idea of a differently coloured code box as well as adding some space. This should be a quicker fix. I was also thinking that the fields could blink for a moment when added and changed. 

For number 4, I like the button at the bottom since some commands span multiple lines but I will experiment with it on the side like you suggested and see how it feels.

Item 5 - Some have "copy" already but some don't due to hidden spans. The copy function I'm using grabs all "innerHTML" so even hidden spans get copied making the commands invalid. Smiley Sad I am looking into being able to copy visible text only which would solve the issue. Stay tuned.

6 and 7 would require server-side includes like PHP. I want to stick with client-side only so people can download it and use it without needing their own server. Maybe in the future I'll do both, but for now, I'll stick with client-side.

8 is a great idea that I've been thinking about as well - Having an "explanation" button which explains everything. Again, probably a while down the road but in my mind.

Keep the suggestions coming and I'll keep listening! Smiley Happy

JozkoMrkvicka
Mentor
Mentor

No plan to add support for Juniper and Palo Alto ? I am not sure if these vendors has some specific in-build tools for traffic capturing like Check Point (fw monitor).

Kind regards,
Jozko Mrkvicka
0 Kudos
Grave_Rose
Collaborator

Hey Jozko Mrkvicka‌ - Thanks for the suggestion. I'm open to adding other vendors as well however I don't have a Palo or Juniper box to work with. I could just read their documentation but I prefer to have hands-on knowledge of what I'm working with. If I do get my hands on one of them, I'll be happy to add those modules.

0 Kudos
Marco_Valenti
Advisor

epic thanks mate

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events