Solved: Re: Sniffers in VSX environments

Matlu

Hello.

Is it possible to apply a TCPDUMP or CPPCAP on a particular vsenv, and “export” the result in a pcap file?

Now, if it is possible to do this, how would you get the pcap file?

Would I have to connect by WinSCP (for example), to my VS0. or can I connect by WinSCP directly to a particular vsenv, to be able to extract the pcap file and be able to review it?

Thanks for your comments.

Bob_Zimmerman

You can start a capture in a particular VS in a few ways:

vsenv 5
tcpdump ...

# Or from any VS:

ip netns exec CTX00005 tcpdump ...

The "CTX00005" is the name of the VS. It's the VSID padded with leading zeros to be five digits. VS 123 would be CTX00123. You can see all of them by running 'ip netns list'.

As for getting the capture file later, VSs are just network namespaces. They have separate routing tables and firewall policies, but that's it. It's all one server running one OS with one filesystem. They're much less isolated than virtual machines, for example.

View solution in original post

Bob_Zimmerman

You can start a capture in a particular VS in a few ways:

vsenv 5
tcpdump ...

# Or from any VS:

ip netns exec CTX00005 tcpdump ...

The "CTX00005" is the name of the VS. It's the VSID padded with leading zeros to be five digits. VS 123 would be CTX00123. You can see all of them by running 'ip netns list'.

As for getting the capture file later, VSs are just network namespaces. They have separate routing tables and firewall policies, but that's it. It's all one server running one OS with one filesystem. They're much less isolated than virtual machines, for example.

Matlu

So, is it possible to run a tcpdump or cppcap from VS0 itself but ‘focused’ on a particular vsenv, and save the result in a pcap?

For example I have the need to run a capture from my vsenv 2, with source 192.168.20.100 and destination 10.100.20.10 by icmp service.

Could you show me the example of the syntax of the command, being 'stopped' in the VS0?

Thank you.

Lesley

cppcap -o capturenam.pcap -v 2 -f " host 192.168.20.100 and host 10.100.20.10 "

-------
If you like this post please give a thumbs up(kudo)! 🙂

Matlu

Hi, Lesley

To this cppcap command syntax that you have shared, can you “add” the option to capture on a special interface?

I want to capture for example the traffic related only to VS 2 on its bond2.1095 interface.

Could you share with me how would be the syntax in this case, to capture it in a pcap file?

Regards

Lesley

Here you go:

cppcap -o capturenam.pcap -v 2 -i bond2.1095 -f " host 192.168.20.100 and host 10.100.20.10"

-------
If you like this post please give a thumbs up(kudo)! 🙂

Matlu

Thanks for the help, Lesly.

Just out of curiosity and concern.

Does this way of working with “cppcap” apply the same if anyone uses “tcpdump”?

I mean for example, from my VS 0, I can still run a “tcpdump” pointing to a particular VS?

Thanks for the clarification.

Lesley

Yes you still can tcpdump as stated before in this topic. In VS0 or any other VS.

But officially Check Point recommends cppcap for various reasons like:

Symptoms

In some scenarios, when running tcpdump with a filter to "any" interface, the output shows no traffic.
When removing the Health Probe configuration from the fwkern.conf file, the traffic is captured.

Cause

Some traffic types go directly to a specific interface's queue, while avoiding any socket tcpdump listens to. This causes tcpdump to not catch this traffic.

Solution

Use CPPCAP - a Check Point Traffic Capture Tool instead. It show all traffic in these scenarios.
Check Point recommends to use CPPCAP for traffic capture. CPPCAP is a traffic capture tool which provides the most relevant outputs and is similar to tcpdump.

Or:

Check Point created a traffic capture tool for Gaia OS - CPPCAP.
This is a traffic capture tool that provides the most relevant outputs and is similar to the Linux tool TCPdump.
This tool was created to resolve various issues in the Linux tool TCPdump that significantly increased CPU load on Security Gateways.

Notes:

CPPCAP is supported only on Gaia OS in the 64-bit mode (default in R80.40 and higher).
CPPCAP also captures traffic that is accelerated in SecureXL.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Matlu

Hey,

So, if I were to use tcpdump instead of “cppcap”, the syntax in a VSX environment, would be something like this?

tcpdump -o capturenam.pcap -v 2 -i bond2.1095 -f “ host 192.168.20.100 and host 10.100.20.10”

The parameters like “-f” and “-v” are kept?

Because the idea is to apply the command from VS0 and capture the traffic from the VS 2 instance.

Thanks for the comments.

Bob_Zimmerman

To run a tcpdump from VS0 capturing traffic in VS2, you would use this:

ip netns exec CTX00002 tcpdump -i bond2.1095 -w capturename.pcap host 192.168.20.100 and host 10.100.20.10

No -v switch, no switch needed for the filter, and the file to write is specified with -w instead of -o.

Matlu

Hello.

This part of the command #ip netns exec CTX00002 tcpdump -i bond2.1095 .... I understand that “CTX00002” is the name VS 2?

If it were a different VS ID like 6, it is replaced by CTX00006?

Or am I misunderstanding the information?

the_rock

You got it.

the_rock

Either one works fone from my personal experience.

Andy

https://support.checkpoint.com/results/sk/sk141412

the_rock

Bro,

I literally built VSX lab this morning just to CONFIRM this, since you asked about it in the other sxl post, haha. And yes, what @Bob_Zimmerman said is exactly right.

Andy

the_rock

Check out the site my colleague made ages ago, has bunch of different options for major fw vendors when doing common captures.

Andy

https://tcpdump101.com/#

Are you a member of CheckMates?

Sniffers in VSX environments

Cause

Solution