tcpdump SuperTool

Danny

🚀 Interactively builds up the correct syntax to run tcpdump.
⭐ Supports wildcards for IP addresses and interface names
🎓 Supports g_tcpdump on Scalable Platforms
👍 Also available for fw monitor

One-liner (Bash) to assist running tcpdump on Check Point Gaia systems.
In expert mode run:

if [[ -f /etc/cp-release ]];then echo;if command -v tput &>/dev/null;then _tb(){ tput bold;};_tr(){ tput sgr0;};_tc(){ tput setaf "$1";};_tbg(){ tput setab "$1";};else _tb(){ :;};_tr(){ :;};_tc(){ :;};_tbg(){ :;};fi;printf '%.s-' {1..60};echo;echo ' tcpdump SuperTool for Check Point Gaia';printf '%.s-' {1..60};echo;echo;_m=0;command -v g_tcpdump &>/dev/null&&_m=1&&_tc 3&&echo ' Maestro/ElasticXL detected - will use g_tcpdump'&&_tr&&echo;_tb;echo -n ' Add host IPs ';_tr;echo -n '(leave empty for any): ';read _h;_vh=();_vht=();case $_h in '')echo -n ' any ';_tc 2;echo OK;_tr;;*)_h=($(echo $_h|tr ',;:|()#<>' ' '|tr -s ' '));for a in ${_h[@]};do if [[ $a == *'*'* ]];then _w=$(echo $a|sed 's/\.\*//g');_oc=$(echo $_w|tr '.' '\n'|wc -l);_ok=1;for _o in $(echo $_w|tr '.' ' ');do [[ $_o =~ ^[0-9]+$ ]]&&[[ $_o -ge 0 ]]&&[[ $_o -le 255 ]]||_ok=0;done;if [[ $_ok == 1 ]];then case $_oc in 1)_net=$_w'.0.0.0/8';;2)_net=$_w'.0.0/16';;3)_net=$_w'.0/24';;*)_ok=0;;esac;fi;if [[ $_ok == 1 ]];then echo -n ' '$a' -> '$_net' ';_tc 2;echo OK;_tr;_vh+=("$_net");_vht+=('net');else echo -n ' '$a' ';_tc 1;echo 'Bad syntax';_tr;fi;elif [[ $(ipcalc -ms $a 2>/dev/null) == *'='* ]]&&[[ $a == *'.'* ]];then echo -n ' '$a' ';_tc 2;echo OK;_tr;_vh+=("$a");_vht+=('host');else echo -n ' '$a' ';_tc 1;echo 'Bad syntax';_tr;fi;done;[[ ${#_vh[@]} == 0 ]]&&_tc 3&&echo ' Falling back to: any'&&_tr;;esac;echo;_tb;echo -n ' Add ports ';_tr;echo -n '(leave empty for any): ';read _p;_vp=();case $_p in '')echo -n ' any ';_tc 2;echo OK;_tr;;*)_p=($(echo $_p|tr ',;:|()#<>' ' '|tr -s ' '));for a in ${_p[@]};do if [[ $a != *[^0-9]* ]];then echo -n ' '$a' ';_tc 2;echo OK;_tr;_vp+=("$a");else echo -n ' '$a' ';_tc 1;echo 'Bad syntax';_tr;fi;done;[[ ${#_vp[@]} == 0 ]]&&_tc 3&&echo ' Falling back to: any'&&_tr;;esac;echo;_tb;echo -n ' Add protocol ';_tr;echo -n '(tcp, udp, icmp): ';read _pr;_vpr=();case $_pr in '')echo -n ' any ';_tc 2;echo OK;_tr;;*)_pr=($(echo $_pr|tr ',;:|()#<>' ' '|tr -s ' '));for a in ${_pr[@]};do case $a in tcp|udp|icmp)echo -n ' '$a' ';_tc 2;echo OK;_tr;_vpr+=("$a");;*)echo -n ' '$a' ';_tc 1;echo 'Unknown protocol';_tr;;esac;done;[[ ${#_vpr[@]} == 0 ]]&&_tc 3&&echo ' Falling back to: any'&&_tr;;esac;echo;if [[ $_m == 1 ]];then _ifc=$(cpstat os -f ifconfig|grep '|'|cut -f2 -d'|'|tail -n +2|tr -d ' '|sort -V);else _ifc=$(ip link show|awk -F': ' '/^[0-9]+:/{print $2}'|grep -v lo|sed 's/@.*//'|sort -V);fi;_tc 6;echo -n ' Available interfaces: ';echo $_ifc|tr '\n' ' ';echo;_tr;_tb;echo -n ' Capture interface ';_tr;echo -n '(leave empty for any): ';read _i;if [[ -n $_i ]];then if [[ $_i == *'*'* ]];then _im=$(echo "$_ifc"|grep "^${_i//\*/.*}$");if [[ -n $_im ]];then _tc 2;echo -n ' Matching: ';_tr;echo $_im|tr '\n' ' ';echo;else echo -n ' '$_i' ';_tc 1;echo 'No matching interface';_tr;_i='';_tc 3;echo ' Falling back to: any';_tr;fi;elif echo "$_ifc"|grep -qx "$_i";then _tc 2;echo -n ' Interface: ';_tr;echo $_i;else echo -n ' '$_i' ';_tc 1;echo 'Invalid interface';_tr;_i='';_tc 3;echo ' Falling back to: any';_tr;fi;else _tc 2;echo ' Any interface';_tr;fi;echo;_tb;echo -n ' Number of packets ';_tr;echo -n '(leave empty for unlimited): ';read _n;if [[ -n $_n ]];then if [[ $_n =~ ^[0-9]+$ ]];then _tc 2;echo -n ' Capturing ';_tr;echo -n $_n;echo ' packets';else echo -n ' '$_n' ';_tc 1;echo 'Bad syntax';_tr;_n='';_tc 3;echo ' Falling back to: unlimited';_tr;fi;else _tc 3;echo ' Unlimited capture (use Ctrl+C to stop)';_tr;fi;echo;_tb;echo -n ' Capture to file ';_tr;echo -n '(leave empty for stdout): ';read _f;[[ -n $_f ]]&&_tc 2&&echo -n ' Saving to: '&&_tr&&echo '/var/log/'$_f||{ _tc 2;echo ' Output to CLI';_tr;};echo;_ts='';if [[ -z $_f ]];then _tb;echo -n ' Timestamp format ';_tr;echo -n '(1=absolute, 2=delta, 3=epoch, default=standard): ';read _ts;case $_ts in 1)_tc 2;echo ' Absolute (yyyy-mm-dd hh:mm:ss)';_tr;;2)_tc 2;echo ' Delta from first packet';_tr;;3)_tc 2;echo ' Unix epoch';_tr;;'')_tc 2;echo ' Standard';_tr;;*)echo -n ' '$_ts' ';_tc 1;echo 'Invalid option';_tr;_ts='';_tc 3;echo ' Falling back to: standard';_tr;;esac;echo;fi;_tb;echo -n ' Verbose output ';_tr;echo -n '(y/n, default=n): ';read _v;if [[ -z $_v||$_v == 'n'||$_v == 'N' ]];then _tc 2;echo ' Verbose: off';_tr;_v='';elif [[ $_v == 'y'||$_v == 'Y' ]];then _tc 2;echo ' Verbose: on';_tr;else echo -n ' '$_v' ';_tc 1;echo 'Invalid input';_tr;_v='';_tc 3;echo ' Falling back to: off';_tr;fi;echo;printf '%.s-' {1..60};echo;_tbg 1;_tc 7;_tb;echo -n ' Executing? ';_tr;echo -n ' Press ENTER to run, any other key to abort...';[[ $_m == 1 ]]&&_r='g_tcpdump'||_r='tcpdump';[[ $_v == 'y'||$_v == 'Y' ]]&&_r+=' -vv';case $_ts in 1)_r+=' -tttt';;2)_r+=' -ttttt';;3)_r+=' -tt';;esac;[[ -n $_i ]]&&_r+=' -nni '$_i||_r+=' -nni any';[[ -n $_n ]]&&[[ $_n =~ ^[0-9]+$ ]]&&_r+=' -c '$_n;[[ -n $_f ]]&&_r+=' -w /var/log/'$_f;_fl='';if [[ ${#_vh[@]} -gt 0||${#_vp[@]} -gt 0||${#_vpr[@]} -gt 0 ]];then if [[ $_m == 1 ]];then _lp='\(';_rp='\)';_qq="\'";else _lp='(';_rp=')';_qq="'";fi;_fl+=$_qq;if [[ ${#_vh[@]} -gt 0 ]];then [[ ${#_vh[@]} -gt 1 ]]&&_fl+=$_lp;for i in "${!_vh[@]}";do _fl+=${_vht[$i]}' '${_vh[$i]};[[ $i -lt $((${#_vh[@]}-1)) ]]&&_fl+=' or ';done;[[ ${#_vh[@]} -gt 1 ]]&&_fl+=$_rp;fi;[[ ${#_vh[@]} -gt 0&&${#_vp[@]} -gt 0 ]]&&_fl+=' and ';if [[ ${#_vp[@]} -gt 0 ]];then [[ ${#_vp[@]} -gt 1 ]]&&_fl+=$_lp;for i in "${!_vp[@]}";do _fl+='port '${_vp[$i]};[[ $i -lt $((${#_vp[@]}-1)) ]]&&_fl+=' or ';done;[[ ${#_vp[@]} -gt 1 ]]&&_fl+=$_rp;fi;[[ ${#_vh[@]} -gt 0||${#_vp[@]} -gt 0 ]]&&[[ ${#_vpr[@]} -gt 0 ]]&&_fl+=' and ';if [[ ${#_vpr[@]} -gt 0 ]];then [[ ${#_vpr[@]} -gt 1 ]]&&_fl+=$_lp;for i in "${!_vpr[@]}";do _fl+=${_vpr[$i]};[[ $i -lt $((${#_vpr[@]}-1)) ]]&&_fl+=' or ';done;[[ ${#_vpr[@]} -gt 1 ]]&&_fl+=$_rp;fi;_fl+=$_qq;_r+=' '$_fl;fi;echo;_tb;echo ' Command to execute:';_tr;echo ' '$_r;echo;read -sn1;case $REPLY in '')eval $_r;;*)_tc 1;echo ' Aborted';_tr;;esac;echo;unset _h _p _pr _i _n _f _v _m _r _fl _ifc _vh _vht _vp _vpr _w _oc _ok _o _net _im _ts _lp _rp _qq a i;unset -f _tb _tr _tc _tbg;else echo;echo ' Not a Check Point Gaia system';echo;fi

the_rock

Wow Danny, AWESOME! Just tested it on my lab fw, worked like a charm. Fantastic job, as always.

Best,
Andy

Tobit

Tried it on an SMB. Works great.

Thanks for sharing, Danny.

Filters

Sort By

Categories

tcpdump SuperTool

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.