Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dor_Marcovitch
Advisor

Wrieshark run for long period

hey.

for inconstant problems which we need to run wireshark / fw monitor to get a packet capture form the FW.. how do you run this in a way that will keep the fw "safe from crush" and without being connected to the FW.

thanks

dor

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend

For long-running captures I'd suggest using cppcap:

sk141412: Running tcpdump causes high CPU usage - Introducing cppcap

Use of fw monitor for long-running captures is potentially more likely to impact firewall performance since it is essentially "in line" with the chain module sequences (fw ctl chain), and also if someone reinstalls policy to the gateway while an fw monitor is running, the capture will be automatically terminated due to the chain sequences being rebuilt as part of the installation process.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Running TCPDUMP causes a significant increase in CPU usage and as a result impact the performance of the device. Even while filtering by specific interface or port still high CPU occurs. Check Point created a tool which works better with Gaia OS.

"CPPCAP" is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump. The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM. The good news! SecureXL can be enabled or disabled to capture with CPPCAP.

More read here:
- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
PhoneBoy
Admin
Admin

There's also the "set up a mirror port on your switch" option and running a packet capture on a machine connected to said mirror port.
That obviously requires having a switch where that is possible and having an extra machine.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events