Wireshark Live Capture From Check Point Firewall directly to your PC
Note: If a Jump box is required in your environment you need to run command from the jump box.
Standard Warning applies, Do not run a capture of any kind in this manner on an loaded firewall. No CPU over 70% should be safe however after-hours is best. Theoretically this type of capture will reduce CPU utilization by relieving the need to write a file. No download needed. The capture will automatically close when the capture is stopped. Ensure you have the bandwidth available to copy traffic. Filters also work in the command line.
ssh admin@192.168.199.22 "tcpdump -s0 -w - -i eth0" | "c:/program files\wireshark\wireshark.exe" -k -i -
I tried many different commands and command shells before I got the traffic redirects to work.
Cygwin did not work
Mobaxterm did not work
Openssh in Cygwin did not work
Almost every search in google for using stdout to push firewall traffic to the PC for Wireshark to use stdin to see live traffic in real time did not work. I found no references to use the good old command window and openssh.
Openssh as the command line that will open an ssh session over port 22 to the firewall. Tcpdump to redirect the filtered traffic over the tcp encrypted ssh tunnel session on port 22 back to the workstation in raw format. Wireshark to receive the stdout via stdin and display to the screen in real time. Amazing stuff.