This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tobias_Moritz
Advisor
‎2022-08-01 06:53 AM

cppcap and IPv6 host filters

Hello Check Mates,

cppcap is out for quite a while now, but everytime when I want to do IPv6 captures with it, I am struggeling with the filter syntax.

sk141412 tells us, that IPv6 is supported and the filter syntax is the one from libpcap. However, filter strings with IPv6 hosts which work in tcpdump do not work with cppcap.

cppcap -f 'host 2a02:26f0:12d:58c::4b36 or host 2a02:26f0:12d:59c::4b36' -o test.pcap -w 10M -W 2

is not showing any error message, but also not capturing traffic.

cppcap -f 'host c1-word-view-15.cdn.office.net' -o test.pcap -w 10M -W 2

is capturing the IPv6 traffic, showing exactly the IPv6 addresses in capture, that I used for the filter above. The FQDN used here resolves to the two IPv6 addresses shown above.

When using tcpdump:

tcpdump -i eth0 -w test.pcap host 2a02:26f0:12d:58c::4b36 or host 2a02:26f0:12d:59c::4b36

it is working fine.

Am I holding it wrong? 🙂

Does anyone got cppcap to work with IPv6 host filter strings?

The workaround in using tcpdump instead of cppcap is not suitable in production, because of the load (as mentioned in the sk).

The workround in using FQDN instead of IPv6 address in filter string is not suitable for obvious reasons.

Version: R80.40 JHF T161.

 

Thank you for any ideas!

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-08-02 06:22 AM

Can you get what you need from "fw monitor" rather than tcpdump?

Otherwise if the syntax is not operating as you expect I would work the examples through further with TAC.

CCSM R77/R80/ELITE
0 Kudos
Tobias_Moritz
Advisor
‎2022-08-02 06:59 AM
In response to Chris_Atkinson

Hey Chris, thanks for that idea. While fw6 monitor -F works for very simple scenarios and the performance impact is not as bad as with tcpdump, it is still much more ressource intensive compared to cppcap. And we have all the overhead from the multiple chain position capturing.

I will try asking the sk owner first, if that does not work, I will file a TAC case. Just wanted to ask community first, maybe I am just doing it wrong.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events