This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mikael
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-11-11 03:54 AM
Jump to solution

Cppcap - exit after X files?

Hello,

While troubleshooting an issue for a customer I had to collect a bunch of traffic and I tried to use cppcap but have a few questions that I just want check if anyone else has seen and solved somehow.

The issue I was troubleshooting required me to collect traffic over a long period. While setting up the capture I was looking for a way to automatically exit after having saved X amount of data. As far as I could see, the only option was 

-b <NUM>capture NUM bytes before stopping

but to the best of my understanding this is a counter of collected data on the wire, not amount of data saved to a file...

Has anyone found a way of collecting (for example) 10 files, each 1GB large and then exit?

-w <FMT>file size limit with rotation followed by 'K'ilo,'M'ega or 'G'iga. Default is bytes
-W <NUM>use up to NUM files with rotation (use with '-w') 

-w and -W will limit size and number of files but it will rotate forever and not exit after reaching the value of -W.

Also, if using -I to capture on multiple interfaces, is there afterwards any reference to the interface on which the packet was captured?

 

Cheers

 

Reference:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-11-12 05:54 AM
Jump to solution

I suspect the precise functionality you're looking for is an RFE.
Having said that, you could probably do a combination of cppcap and a script that monitors for the creation of capture files.
Once you've captured X files, kill cppcap.
To facilitate this: use -W 11 (one more capture file than you want)

View solution in original post

0 Kudos
8 Replies
the_rock
MVP Platinum
MVP Platinum
‎2022-11-11 09:40 AM
Jump to solution

Can you please provide exact syntax you did? I would like to test it in the lab and see what I get.

Andy

Best,
Andy
0 Kudos
Mikael
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-11-11 11:23 AM
In response to the_rock
Jump to solution

It would have been something like:

cppcap -I <external nic> -o filename.pcap -w 1G -W 10 -DNT -f "host X.X.X.X"

I also tried to add the -b but as I wrote that seems to be the data on the wire, not written to files...

[Expert@gbgfw1:0]# cppcap -I eth4 -o filename.pcap -w 1K -W 10 -DNT -f "host 192.168.1.5" -b10000
67 packets captured (9.848 KB)

[Expert@gbgfw1:0]#[Expert@gbgfw1:0]# ls -ltr

-rw-rw---- 1 admin root 1105 Nov 11 20:19 filename.pcap
-rw-rw---- 1 admin root 1135 Nov 11 20:19 filename.pcap_1
-rw-rw---- 1 admin root 1062 Nov 11 20:19 filename.pcap_2
-rw-rw---- 1 admin root 1065 Nov 11 20:20 filename.pcap_3
-rw-rw---- 1 admin root 1054 Nov 11 20:20 filename.pcap_4
-rw-rw---- 1 admin root 1147 Nov 11 20:20 filename.pcap_5
-rw-rw---- 1 admin root 562 Nov 11 20:20 filename.pcap_6
[Expert@gbgfw1:0]#

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-11 12:13 PM
In response to Mikael
Jump to solution

I see what you mean, Im not getting desires result either, definitely NOT rotating. I put -W 10 as you mentioned, but only got 3


[Expert@GATEWAY:0]# cppcap -I eth0 -o filename.pcap -w 1K -W 10 -DNT -f "host 172.16.10.178" -b10
1 packets captured (78 B)

[Expert@GATEWAY:0]# ls -lf
.toprc tcpdumpradius.out .clish_history tcpdumpradius1.out
filename.pcap_1 fwmonitor.out .ssh .
.lvm_history .bash_history last_dump.log filename.pcap_2
filename.pcap .bash_logout .. .cpsizeme.log
.mgmt_cli .lesshst .bash_profile .bashrc
[Expert@GATEWAY:0]# ls -lh
total 28K
-rw-rw---- 1 admin root 118 Nov 11 15:11 filename.pcap
-rw-rw---- 1 admin root 1.1K Nov 11 15:09 filename.pcap_1
-rw-rw---- 1 admin root 1.1K Nov 11 15:10 filename.pcap_2
-rw-rw---- 1 admin root 1.3K Feb 9 2022 fwmonitor.out
-rw-r--r-- 1 admin root 1.9K Oct 24 11:12 last_dump.log
-rw-rw---- 1 admin root 1 Feb 9 2022 tcpdumpradius.out
-rw-rw---- 1 admin root 1 Feb 9 2022 tcpdumpradius1.out
[Expert@GATEWAY:0]#

Best,
Andy
0 Kudos
Mikael
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-11-11 12:15 PM
In response to the_rock
Jump to solution

Well, if you remove the -b it will rotate, but that's not what I wanted 😀

I want 10 files, 1GB large and then exit..

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-11 12:26 PM
In response to Mikael
Jump to solution

Ah, I see, ok :). Well, that SORT of works, BUT...does not exit on its own, I had to stop it myself. Let me play around with it, very interesting to see if we can figure it out.

Andy

 


[Expert@GATEWAY:0]# ls -lh
total 68K
-rw-rw---- 1 admin root 118 Nov 11 15:11 filename.pcap
-rw-rw---- 1 admin root 1.1K Nov 11 15:09 filename.pcap_1
-rw-rw---- 1 admin root 1.1K Nov 11 15:10 filename.pcap_2
-rw-rw---- 1 admin root 1.3K Feb 9 2022 fwmonitor.out
-rw-r--r-- 1 admin root 1.9K Oct 24 11:12 last_dump.log
-rw-rw---- 1 admin root 1 Feb 9 2022 tcpdumpradius.out
-rw-rw---- 1 admin root 1 Feb 9 2022 tcpdumpradius1.out
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap
-rw-rw---- 1 admin root 1.2K Nov 11 15:25 test.pcap_1
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_2
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_3
-rw-rw---- 1 admin root 1016 Nov 11 15:25 test.pcap_4
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_5
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_6
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_7
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_8
-rw-rw---- 1 admin root 1.1K Nov 11 15:25 test.pcap_9
[Expert@GATEWAY:0]#

Best,
Andy
0 Kudos
Mikael
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-11-11 12:29 PM
In response to the_rock
Jump to solution

Yes exactly, which is probably fine in some scenarios.

In my scenario though I wanted traffic from a certain timestamp and I had 20GB disk free to save it on so I wanted it to exit once 20GB was collected... 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-12 05:54 AM
Jump to solution

I suspect the precise functionality you're looking for is an RFE.
Having said that, you could probably do a combination of cppcap and a script that monitors for the creation of capture files.
Once you've captured X files, kill cppcap.
To facilitate this: use -W 11 (one more capture file than you want)

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-11-12 10:59 AM
Jump to solution

If it is possible the author of the cppcap tool will know.  @aviadhah 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events