This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dor_Marcovitch
Advisor
‎2020-05-24 12:08 AM

Wrieshark run for long period

hey.

for inconstant problems which we need to run wireshark / fw monitor to get a packet capture form the FW.. how do you run this in a way that will keep the fw "safe from crush" and without being connected to the FW.

thanks

dor

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-05-24 08:24 AM

For long-running captures I'd suggest using cppcap:

sk141412: Running tcpdump causes high CPU usage - Introducing cppcap

Use of fw monitor for long-running captures is potentially more likely to impact firewall performance since it is essentially "in line" with the chain module sequences (fw ctl chain), and also if someone reinstalls policy to the gateway while an fw monitor is running, the capture will be automatically terminated due to the chain sequences being rebuilt as part of the installation process.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2020-05-24 11:15 AM

TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Running TCPDUMP causes a significant increase in CPU usage and as a result impact the performance of the device. Even while filtering by specific interface or port still high CPU occurs. Check Point created a tool which works better with Gaia OS.

"CPPCAP" is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump. The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM. The good news! SecureXL can be enabled or disabled to capture with CPPCAP.

More read here:
- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-25 12:32 PM

There's also the "set up a mirror port on your switch" option and running a packet capture on a machine connected to said mirror port.
That obviously requires having a switch where that is possible and having an extra machine.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events