Quantum SD-WAN Monitoring
Watch NowCheckMates Fest 2026
Watch Now!AI Security Masters
Hacking with AI: The Dark Side of Innovation
MVP 2026: Submissions
Are Now Open!
Overlap in Security Validation
Help us to understand your needs better
CheckMates Go:
R82.10 and Rationalizing Multi Vendor Security Policies
This script lets you execute tcpdump capture and you can also choose any, rather than specific IP address. Below is example from my lab. As always, dos2unix and chmod 777 needed to run it. It can be printed on screen or you can output it into a file as well.
Lab example:
[Expert@CP-GW:0]# ./cp_tcpdump.sh
=== Check Point tcpdump interactive capture ===
Tip: Use 'tcpdump -D' to list interfaces before running.
Interface name (e.g., bond0, eth1, or 'any') [any]:
Source IP (or 'any') [any]: 172.16.10.249
Destination IP (or 'any') [any]: 1.1.1.1
Protocol (tcp/udp/icmp/icmp6/any) [any]:
Port number (or 'any') [any]:
Output mode: print / pcap / both [print]:
Use rotation? (y/n) [n]:
=== Running capture ===
Interface: any
Filter: host 172.16.10.249 and host 1.1.1.1
Mode: print
Printing to screen. Press Ctrl+C to stop.
++ tcpdump -i any -nn -vvv -Ss 0 -tttt host 172.16.10.249 and host 1.1.1.1
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
2026-01-24 08:14:14.966804 IP (tos 0x0, ttl 64, id 42842, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.10.249 > 1.1.1.1: ICMP echo request, id 10000, seq 46, length 64
2026-01-24 08:14:14.970472 IP (tos 0x0, ttl 53, id 56578, offset 0, flags [none], proto ICMP (1), length 84)
1.1.1.1 > 172.16.10.249: ICMP echo reply, id 10000, seq 46, length 64
2026-01-24 08:14:15.921213 IP (tos 0x0, ttl 64, id 18337, offset 0, flags [DF], proto UDP (17), length 63)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 2868+ A? captive.apple.com. (35)
2026-01-24 08:14:15.921844 IP (tos 0x0, ttl 64, id 18338, offset 0, flags [DF], proto UDP (17), length 60)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 8417+ A? help.webex.com. (32)
2026-01-24 08:14:15.922191 IP (tos 0x0, ttl 64, id 18339, offset 0, flags [DF], proto UDP (17), length 67)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 36312+ A? api-cpx.ap3.dome9.com. (39)
2026-01-24 08:14:15.922481 IP (tos 0x0, ttl 64, id 18340, offset 0, flags [DF], proto UDP (17), length 79)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 57603+ A? cm-prod-us.connect.checkpoint.com. (51)
2026-01-24 08:14:15.922875 IP (tos 0x0, ttl 64, id 18341, offset 0, flags [DF], proto UDP (17), length 74)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 52702+ A? file-rep.iaas.checkpoint.com. (46)
2026-01-24 08:14:15.923217 IP (tos 0x0, ttl 64, id 18342, offset 0, flags [DF], proto UDP (17), length 76)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 37130+ A? productservices.checkpoint.com. (48)
2026-01-24 08:14:15.923616 IP (tos 0x0, ttl 64, id 18343, offset 0, flags [DF], proto UDP (17), length 67)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 16854+ A? stg.i2.checkpoint.com. (39)
2026-01-24 08:14:15.923944 IP (tos 0x0, ttl 64, id 18344, offset 0, flags [DF], proto UDP (17), length 61)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 57743+ A? aem.dropbox.com. (33)
2026-01-24 08:14:15.924304 IP (tos 0x0, ttl 64, id 18345, offset 0, flags [DF], proto UDP (17), length 53)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 15072+ A? dash.ai. (25)
2026-01-24 08:14:15.924659 IP (tos 0x0, ttl 64, id 18346, offset 0, flags [DF], proto UDP (17), length 58)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 41292+ A? dropbox.tech. (30)
2026-01-24 08:14:15.925020 IP (tos 0x0, ttl 64, id 18347, offset 0, flags [DF], proto UDP (17), length 71)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 22904+ A? rebrand.dropboxstatic.com. (43)
2026-01-24 08:14:15.925343 IP (tos 0x0, ttl 64, id 18348, offset 0, flags [DF], proto UDP (17), length 62)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 43591+ A? appex-rf.msn.com. (34)
2026-01-24 08:14:15.925512 IP (tos 0x0, ttl 53, id 42176, offset 0, flags [DF], proto UDP (17), length 207)
1.1.1.1.53 > 172.16.10.249.12250: [udp sum ok] 2868 q: A? captive.apple.com. 5/0/0 captive.apple.com. [11h59m36s] CNAME captive-cidr.origin-apple.com.akadns.net., captive-cidr.origin-apple.com.akadns.net. [4m36s] CNAME captive-geo.origin-apple.com.akadns.net., captive-geo.origin-apple.com.akadns.net. [36s] CNAME captive.g.aaplimg.com., captive.g.aaplimg.com. [6s] A 17.253.21.131, captive.g.aaplimg.com. [6s] A 17.253.21.147 (179)
2026-01-24 08:14:15.926336 IP (tos 0x0, ttl 64, id 18349, offset 0, flags [DF], proto UDP (17), length 67)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 46532+ A? config.edge.skype.com. (39)
2026-01-24 08:14:15.926662 IP (tos 0x0, ttl 53, id 42177, offset 0, flags [DF], proto UDP (17), length 111)
1.1.1.1.53 > 172.16.10.249.12250: [udp sum ok] 57603 q: A? cm-prod-us.connect.checkpoint.com. 2/0/0 cm-prod-us.connect.checkpoint.com. [2m2s] A 15.197.212.38, cm-prod-us.connect.checkpoint.com. [2m2s] A 3.33.196.224 (83)
2026-01-24 08:14:15.926971 IP (tos 0x0, ttl 64, id 18350, offset 0, flags [DF], proto UDP (17), length 76)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 13248+ A? euprodimedatasec.azureedge.net. (48)
2026-01-24 08:14:15.927473 IP (tos 0x0, ttl 53, id 42178, offset 0, flags [DF], proto UDP (17), length 149)
1.1.1.1.53 > 172.16.10.249.12250: [udp sum ok] 16854 q: A? stg.i2.checkpoint.com. 0/1/0 ns: stg.i2.checkpoint.com. [7m2s] SOA ns-1520.awsdns-62.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (121)
2026-01-24 08:14:15.927694 IP (tos 0x0, ttl 64, id 18351, offset 0, flags [DF], proto UDP (17), length 79)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 17515+ A? intunemaape9.neu.attest.azure.net. (51)
2026-01-24 08:14:15.928076 IP (tos 0x0, ttl 64, id 18352, offset 0, flags [DF], proto UDP (17), length 79)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 55278+ A? naprodimedatahotfix.azureedge.net. (51)
2026-01-24 08:14:15.928360 IP (tos 0x0, ttl 64, id 18353, offset 0, flags [DF], proto UDP (17), length 61)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 5531+ A? onmicrosoft.com. (33)
2026-01-24 08:14:15.928680 IP (tos 0x0, ttl 64, id 18354, offset 0, flags [DF], proto UDP (17), length 67)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 60992+ A? support.microsoft.com. (39)
2026-01-24 08:14:15.928960 IP (tos 0x0, ttl 64, id 18355, offset 0, flags [DF], proto UDP (17), length 63)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 37890+ A? windowsupdate.com. (35)
2026-01-24 08:14:15.929285 IP (tos 0x0, ttl 64, id 18356, offset 0, flags [DF], proto UDP (17), length 83)
172.16.10.249.12250 > 1.1.1.1.53: [udp sum ok] 24767+ A? 1-217446-1541620433-630.rt.yammer.com. (55)
2026-01-24 08:14:15.929406 IP (tos 0x0, ttl 53, id 42179, offset 0, flags [DF], proto UDP (17), length 137)
1.1.1.1.53 > 172.16.10.249.12250: [udp sum ok] 43591 q: A? appex-rf.msn.com. 3/0/0 appex-rf.msn.com. [4h5s] CNAME www-msn-com.a-0003.a-msedge.net., www-msn-com.a-0003.a-msedge.net. [3m1s] CNAME a-0003.a-msedge.net., a-0003.a-msedge.net. [3m1s] A 204.79.197.203 (109)
This script lets you execute tcpdump capture and you can also choose any, rather than specific IP address. Below is example from my lab. As always, dos2unix and chmod 777 needed to run it. It can be printed on screen or you can output it into a file as well.
Lab example:
[Expert@CP-GW:0]# ./cp_tcpdump.sh
=== Check Point tcpdump interactive capture ===
Tip: Use 'tcpdump -D' to list interfaces before running.
Interface name (e.g., bond0, eth1, or 'any') [any]:
Source IP (or 'any') [an
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
