Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Location of IPS Packet Capture PCAP Files in Distributed Environment

We are having a distributed Checkpoint Environment with dedication Checkpoint Log Server, all logs from Gateway is configured to be send to the log server, in this case please confirm where the Packet capture logs are send and what is the location of logs in the log server.

Because as per the SK I was not able to find any files in the specified location of the gateway.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

  • In R80.10 - $FWDIR/log/forensics and /var/log/spool/mail/

Also verified $FWDIR/log/blob but still no files.

0 Kudos
Reply
3 Replies
Highlighted
Admin
Admin

Maybe @TP_Master knows the exact location.
But I know there is also an API for this in the latest R80.40 JHF (and in R80.30 JHF 111+): https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Fetching-PCAP-via-API-in-R80-30-J...

0 Kudos
Reply
Highlighted
Employee+
Employee+

Hi @Lithin_Mathew 

How are you?

Blob directory was not changed from R80.10.

I would like to veirfy with you:

1. Can you see reports/blobs when you use SmartConsole?

2. What commands did you use to look for the blobs when you connected to LS? did you use mcd to make sure the patch is changed based on the specific domain?

Highlighted
Contributor

Thank you @Shay_Hibah for checking on this.

My mistake, I had checked the wrong directory the last time, I had checked through CLI this time and was able to find the files in the blob folder.

But the format of the files are different its not .cap or .pcap, its localhost.blob, how can I change the format to .cap or .pcap so that I can view it in Wireshark. 

Example:

10.177.0.5__89.248.172.149_maildir_sent_new_time1601352097.mail-2498201990-3937761760.localhost.blob

Thank you in advance

 

 

 

 

 

 

 

0 Kudos
Reply