Create a Post
Showing results for 
Search instead for 
Did you mean: 

Wrieshark run for long period


for inconstant problems which we need to run wireshark / fw monitor to get a packet capture form the FW.. how do you run this in a way that will keep the fw "safe from crush" and without being connected to the FW.



0 Kudos
3 Replies

For long-running captures I'd suggest using cppcap:

sk141412: Running tcpdump causes high CPU usage - Introducing cppcap

Use of fw monitor for long-running captures is potentially more likely to impact firewall performance since it is essentially "in line" with the chain module sequences (fw ctl chain), and also if someone reinstalls policy to the gateway while an fw monitor is running, the capture will be automatically terminated due to the chain sequences being rebuilt as part of the installation process.

"Max Capture: Know Your Packets" Video Series
now available at
0 Kudos

TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Running TCPDUMP causes a significant increase in CPU usage and as a result impact the performance of the device. Even while filtering by specific interface or port still high CPU occurs. Check Point created a tool which works better with Gaia OS.

"CPPCAP" is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump. The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM. The good news! SecureXL can be enabled or disabled to capture with CPPCAP.

More read here:
- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP

0 Kudos

There's also the "set up a mirror port on your switch" option and running a packet capture on a machine connected to said mirror port.
That obviously requires having a switch where that is possible and having an extra machine.
0 Kudos