Re: find trafic in 750 appliance

hezi_angel · ‎2019-01-17

hello

I have 750 appliance And I want to find who takes me the most bandwidth.

In: Active computers - Start Traffic Monitoring

I see the traffic of all computers since the firewall is turned on

Is there another way to find bandwidth usage now?

I tried downloading a packet in: Tools - Paket Capture

I went in to save the packets, but it only keeps 500kb, which is less than a second of traffic

Is it possible to save all the network's traffic for more time?

Thank you

PhoneBoy · ‎2019-01-18

There is limited storage space on the 750, which is why the packet capture limit is so small.

You could probably save more to a USB drive from expert mode using the tcpdump command.

hezi_angel · ‎2019-01-19

How to use tcpdump?

Is this a computer connected to one of the lan?

Through tcpdump you can also check the speed of traffic?
Or will I still need to use the wireshark with the file I'm creating?

Thanks

PhoneBoy · ‎2019-01-19

tcpdump is a command you can run on the 750 via the CLI in expert mode.

It's a standard Unix command.

You would then download the pcap file and, if you prefer, look in Wireshark or any other offline tool.

The following might be helpful if you've never used tcpdump before:

[tool] - https://tcpdump101.com‌

hezi_angel · ‎2019-01-19

I do this from any computer connected to the network

Or from a computer connected to a special place?

Thank you very much

It helps me a lot

PhoneBoy · ‎2019-01-19

Like I said, you run the command from the CLI.

You do that either from an SSH session (can be from anywhere) or a Console connection, which requires a direct serial/USB connection to the appliance.

hezi_angel · ‎2019-01-19

Sorry

I still did not understand

If I run tcpdump from one of the computers it will create me a traffic file just for this computer

So how do I connect the computer that it will receive all the traffic?

I did not understand how to run the cli via ssh, and then run the tcpdump

Can I explain this or a guide?

Thank you

PhoneBoy · ‎2019-01-20

You are trying to run tcpdump on the 750 appliance itself.

To do that, you need to reach the CLI of the device.

You can access the CLI using:

SSH (using a client like putty from a PC)
A USB/Serial connection to the device (putty can also use a serial connection).

Once you get there, you can run tcpdump with the appropriate options.

I highly recommend reviewing the product documentation: Check Point 700/900 Appliances R77.20.81 Administration Guide

You may also want to consult with someone from your local Check Point office or partner.

PhoneBoy · ‎2019-01-18

You can definitely see who is using large amounts of bandwidth in the last hour, though.

This requires using Identity Awareness.

hezi_angel · ‎2019-01-19

This only works if I set a user for each Ip

It does not show by ip or computer's name

In applications it is impossible to know which computer is using the specific software

For example, if I found that there is a big use of windows update

I can not tell which computer it is

Thanks

PhoneBoy · ‎2019-01-19

If you're logging applications, you should be able to tell which computers are using Windows Update, though.

hezi_angel · ‎2019-01-19

in applications

He shows me only the software, not some computer

Could it be that he show me the computers only if i write the user on router?

PhoneBoy · ‎2019-01-20

You should be able to look at the logs and find the people using those specific applications.

Are you a member of CheckMates?

find trafic in 750 appliance