This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KlowikiOne
Employee
Employee
‎2023-03-06 10:41 PM

Using Wireshark to capture packets on Firewall using standard out.

Wireshark Live Capture From Check Point Firewall directly to your PC

   Note: If a Jump box is required in your environment you need to run command from the jump box.

Standard Warning applies, Do not run a capture of any kind in this manner on an loaded firewall. No CPU over 70% should be safe however after-hours is best. Theoretically this type of capture will reduce CPU utilization by relieving the need to write a file. No download needed. The capture will automatically close when the capture is stopped.  Ensure you have the bandwidth available to copy traffic. Filters also work in the command line.

ssh admin@192.168.199.22 "tcpdump -s0 -w - -i eth0" | "c:/program files\wireshark\wireshark.exe" -k -i -

I tried many different commands and command shells before I got the traffic redirects to work.

Cygwin  did not work

Mobaxterm did not work

Openssh in Cygwin did not work

Almost every search in google for using stdout to push firewall traffic to the PC for Wireshark to use stdin to see live traffic in real time did not work. I found no references to use the good old command window and openssh.

 

Openssh as the command line that will open an ssh session over port 22 to the firewall. Tcpdump to redirect the filtered traffic over the tcp encrypted ssh tunnel session on port 22 back to the workstation in raw format. Wireshark to receive the stdout via stdin and display to the screen in real time.  Amazing stuff.

20 Replies
PhoneBoy
Admin
Admin
‎2023-03-07 11:54 AM

This is quite clever and well done on figuring it out.
You mind if I move this to a more public space?

0 Kudos
KlowikiOne
Employee
Employee
‎2023-03-07 01:50 PM
In response to PhoneBoy

I do not mind.  Time for public critique.  🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-07 03:28 PM
In response to KlowikiOne

Done, moved out to Security Gateways.

0 Kudos
Danny
Champion Champion
Champion
‎2023-03-07 11:59 AM

Thanks for this!

0 Kudos
the_rock
Legend
Legend
‎2023-03-07 04:53 PM

Good tip 👍

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-03-07 06:11 PM

Yep a neat trick and well done!  Here is how I got to the same place awhile back through a different means but I found a number of caveats (the "timeout" one is more precautionary than anything as I saw some stuck tcpdump processes); here is the relevant lecture content along with the lab exercise from my Max Capture: Know Your Packets self-guided video:

live1.pnglive2.pnglive3.png

Attend my Gateway Performance Optimization R81.20 course
CET Timezone Course Scheduled for July 1-2
KlowikiOne
Employee
Employee
‎2023-03-07 09:43 PM
In response to Timothy_Hall

I added a ram disk as a destination for debugs and realized a 60% reduction in CPU utilization on SND cores compared to the same debug writing to disk. This was in a production environment at 3am in the morning but still worked well. Might be worth further testing for packet captures. 

Process Example is using the ram disk as a destination for tcpdump.

Process

#

#/*Make sure there is enough space. Memory swap does still work to disk if you go over the amount available. Ramfs does not support swap. */

#

#free -g

#

              total        used        free      shared  buff/cache   available

Mem:             15           8           0           1           6           5

Swap:            31           1          29

#

#/*  Create the location the new disk will mount.  */

#mkdir /mnt/rmdisk

#

#/*  Mount the ram as tmpfs and specify amount of ram to use and where to mount it. */

#

#mount -t tmpfs -o size=4g tmpfs /mnt/rmdisk

#

#/* You can cd into the directory and use it as a normal disk. Remember this is volatile memory and will be erased on reboot or dismount.  For Example: tcpdump. */

#

#tcpdump -enni any -w /mnt/rmdisk/dumpme.pcap

 

 

I am also investigating using tar files for tcpdump destinations for reducing CPU utilization. The whole Idea is to minimize the hardware interrupt for DMA for transfers from RAM to Disk. The process is slower than compressing data via cpu and a tar file. Sounded like a good idea anyway.

 

Thank you everyone for your replies and kudos. 

Timothy_Hall
Legend Legend
Legend
‎2023-03-08 04:29 AM
In response to KlowikiOne

One other way to reduce CPU load I was investigating for live Wireshark captures was using cppcap instead of tcpdump for these live captures, as cppcap doesn't seem to cause nearly as much overhead as tcpdump which is the tool's main intent.  However I confirmed with the tool's author @Aviad_Hadarian that cppcap does not have the option to output raw packets to the stdout, but if it did I think that would be very helpful to reduce live capture overhead.  Might it be possible for cppcap to write its raw packet output to a named pipe (FIFO) via -o instead of a regular file, then have some intermediate process such as dd read that named pipe, dump it to its stdout and directly into Wireshark's stdin?

Also apparently having stuck tcpdump processes executing in the background running up CPU load on the Dispatcher cores has occurred often enough to cause the following recent SK to be created: sk172886: Multiple ksoftirqd processes show high CPU use

 

Attend my Gateway Performance Optimization R81.20 course
CET Timezone Course Scheduled for July 1-2
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-03-30 02:12 PM

Some OpenSSH options can help this work through jump servers in the path. Specifically, check out the ProxyJump option in ssh_config(5). It uses port forwarding on a jump server to let the client connect "directly" to the end destination. Notably, this doesn't expose any key material to the jump server in the path (unlike SSH agent forwarding).

A few other options can get similar results.

0 Kudos
KlowikiOne
Employee
Employee
‎2023-04-28 01:09 PM
In response to Bob_Zimmerman

Do you know of a way to start multiple tcpdumps in a single session? I would love to see checkpoint permit "screen" to operate.  I would also like to see and updated ethtool. 

 

0 Kudos
the_rock
Legend
Legend
‎2023-04-28 02:34 PM
In response to KlowikiOne

@KlowikiOne Well, since you are a CP employee, your best bet for those things is to verify with R&D. Personally, I never heard of a way to start multiple tcpdumps in a single session.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-04-28 03:04 PM
In response to KlowikiOne

If you need to capture on all interfaces with tcpdump, just use an interface name of "any" but be careful as that can impact the performance of the firewall.  You could also use cppcap with the "-I (interface)" option that will capture traffic on all interfaces except the named (interface) as opposed to using "-i" for the interface specification.  ethtool was updated in Gaia 3.10.  All this was covered in my 'Max Capture: Know Your Packets" course.

Attend my Gateway Performance Optimization R81.20 course
CET Timezone Course Scheduled for July 1-2
0 Kudos
KlowikiOne
Employee
Employee
‎2023-05-01 06:01 AM
In response to Timothy_Hall

I avoid using the any interface, however I do like cppcap option to capture on any interface except flag. 

0 Kudos
the_rock
Legend
Legend
‎2023-05-01 06:32 AM
In response to KlowikiOne

Thats good point, BUT, sometimes, if you dont know what interface to use, you have to use any...

0 Kudos
the_rock
Legend
Legend
‎2023-04-28 03:10 PM
In response to KlowikiOne

Check out site my colleague made while back on capturing with all major vendors, hope it helps you.

Andy

https://tcpdump101.com/#

0 Kudos
KlowikiOne
Employee
Employee
‎2023-05-01 05:58 AM
In response to the_rock

I actually use this site to formulate the command line to use with tcpdump and cppcap.  I find having customers use this is a helpful learning tool.  

0 Kudos
the_rock
Legend
Legend
‎2023-05-01 06:31 AM
In response to KlowikiOne

My colleague made that site in order to actually help anyone struggling with packet captures and debugs...we all been there mate, whether we want to admit ot ir not 😂

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-05-01 07:49 AM
In response to KlowikiOne

There's not a good way to. Multiple SSH sessions are basically free, though (no more overhead than a single connection carrying all the same data).

0 Kudos
KlowikiOne
Employee
Employee
‎2023-05-02 09:51 PM
In response to Bob_Zimmerman

I am going to try to use cprid_util to spawn a tcpdump with a flag to close out the capture.  

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2023-03-30 03:21 PM

Very nice solution!

If you add "not port 22", you will no longer see your own ssh packages.

ssh admin@1.1.1.1 "tcpdump -s0 -w - -i eth0 not port 22" | "c:/program files\wireshark\wireshark.exe" -k -i -

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top