This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Martin_Hofbauer
Contributor
Contributor
‎2020-10-05 07:50 AM
Jump to solution

Filter syntax for g_tcpdump required when mixing "and" and "or"

in tcpdump in bash following works as expected:

 

# tcpdump -i eth0 host A and host B and \(port C or port D\)

( round brackets ensure, that the "or" statement is only valid for the port numbers )

 

But I was not able to figure out howto do it with "g_tcpdump" to have the same results.

Any ideas ?

 

0 Kudos
1 Solution

Accepted Solutions
mrbhenry
Participant
‎2026-02-05 02:35 PM
Jump to solution

I ran into this same issue and I see that this post was never really answered. sk173723 shows what to do:

Solution:
Escape any quotations or special characters in the g_tcpdump syntax with the backslash "\" character and use only single quotes, not double quotes.

Example:

Instead of this syntax:

g_tcpdump -nni eht1-Mgmt4 "host 1.1.1.1 and (port 22 or icmp)"

You must use this syntax:

g_tcpdump -nni eth1-Mgmt4 \'host 1.1.1.1 and \(port 22 or icmp\)\'

View solution in original post

5 Replies
Anatoly
Employee
Employee
‎2020-10-07 10:51 PM
Jump to solution

Hi,

It should be the same as tcpdump, just g_. If it doesn't work, try to do g_all tcpdump ….

 

Thanks

 

Anatoly

0 Kudos
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2020-10-07 11:20 PM
In response to Anatoly
Jump to solution

Hi @Anatoly 

in principle, the difference is clear to me. "g_all" executes the commands on all SGMs.

Is there a technical difference between "g_tcpdump" and "g_all tcpdump".

PS:
With  "g_tcpdump" filters I can also see that some things do not work 100% correct.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Anatoly
Employee
Employee
‎2020-10-07 11:23 PM
In response to HeikoAnkenbrand
Jump to solution

g_tcpdump and g_all tcpdump should be the same. However, since g_tcpdump has been developed as separate command, some differences may apply.

Please open support ticket if it's critical, if not - just use g_all tcpdump

0 Kudos
mrbhenry
Participant
‎2026-02-05 02:35 PM
Jump to solution

I ran into this same issue and I see that this post was never really answered. sk173723 shows what to do:

Solution:
Escape any quotations or special characters in the g_tcpdump syntax with the backslash "\" character and use only single quotes, not double quotes.

Example:

Instead of this syntax:

g_tcpdump -nni eht1-Mgmt4 "host 1.1.1.1 and (port 22 or icmp)"

You must use this syntax:

g_tcpdump -nni eth1-Mgmt4 \'host 1.1.1.1 and \(port 22 or icmp\)\'

Danny
MVP Platinum
MVP Platinum
‎2026-02-09 07:08 AM
In response to mrbhenry
Jump to solution

I created a one-liner that interactively creates the correct syntax for tcpdump or g_tcpdump depending on the Gaia system.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events