Re: tcpdump any interface didn't show interface in...

Daniel_ · ‎2021-02-26

Hello Experts,

with pre R80.40 systems I captured with

tcpdump -Penni any <pcap-filter>

and got the interface:

12:19:15.061879 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 443932:444192(260) ack 1769 win 47888
12:19:15.061883 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 443932:444192(260) ack 1769 win 47888
12:19:15.062010 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444192:444452(260) ack 1769 win 47888
12:19:15.062014 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444192:444452(260) ack 1769 win 47888
12:19:15.062141 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444452:444712(260) ack 1769 win 47888
12:19:15.062145 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444452:444712(260) ack 1769 win 47888
12:19:15.062277 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444712:444972(260) ack 1769 win 47888

With R80.40 "-P" is not possible. I used "-Q inout" but I didn't get the interfaces.

With cppcap you can get it in text output but not in capture/wireshark.

I need something like this (captured with "tcpdump -Penni any" on R80.20)

Any ideas to get interfaces in text output with tcpdump and also in capture file (for wireshark) back?

Bye

Timothy_Hall · ‎2021-02-26

As mentioned in my Max Capture class, the tcpdump 3.9.4 version bundled with Gaia 2.6.18 had the -P flag directly hacked in to the tcpdump binary by Check Point to display the interface name in CLI output.

When Gaia 3.10 was introduced the version of tcpdump was updated to version 4.9.0 and the -P hack went away with it. Will probably need to submit an RFE to get this put back in. Alternatively it looks like tcpdump version 4.9.9 now natively supports displaying the interface name in the CLI output. As a further motivator for an RFE, the tcpdump changelog (https://www.tcpdump.org/tcpdump-changes.txt) notes that literally dozens of CVE vulnerabilities were fixed in tcpdump versions 4.9.2 and 4.9.3, so perhaps R&D could just update tcpdump to 4.9.9 via Jumbo HFA and kill two birds with one stone. Tagging @PhoneBoy for R&D coordination.

As an workaround for now just use cppcap (my preferred tool) or there is the "anydump" script:

https://sebastianhaas.de/anydump-release/

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

Daniel_ · ‎2021-02-26

Thanks for the fast answer.

If "-P" is always build in: If I start (on R80.40)

tcpdump -s0 -w file.cap -enni any host <pcap-filter>

I can't see the interface information inside Wireshark as shown in my screenshot in my first post (and also not with my preferred tool cppcap 😏).

BTW: I read you presentation and didn't got the information that "-P" is build in 😮

Timothy_Hall · ‎2021-02-26

You can't see the interface name in Wireshark because it is not embedded in the pcap file in the first place. If doing a live capture or a replay with version 4.9.9, tcpdump can only display the interface information because it is looking at the live interface configuration of the system it is running on, and can calculate the interface name for display. If a pcap file created by tcpdump/cppcap is replayed on a different system or viewed in Wireshark, the interface name information is not supported by the pcap format at all, and is simply not available. Using the hacked-in -P option embedded the interface name into the pcap file in what I assume is an unsupported way, as seen in your screenshot. pcapng (which is still experimental) will address this by including interface name information right in the capture file.

So without the -P hack you are basically stuck, and cannot see interface information in Wireshark with pcap captures generated by cppcap/tcpdump. It would be a very interesting feature if cppcap had an option to output its captures in pcapng format (which would include interface name information embedded in the capture) instead of standard pcap format, so I'm going to tag cppcap's author @Aviad_Hadarian who also got a shout out in my 2021 CPX presentation.

As a workaround you could use fw monitor -F, which can capture accelerated traffic and has the interface name information along with capture points embedded in its capture file output in the "snoop" file format, which does support including the interface name. You'll need to set up Wireshark to display this properly as described here: sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet. However be sure to read my stern warning in the presentation about how fw monitor -F can blast you with an unfiltered capture if you make a mistake with your filter, so double-check your filtering syntax and always use the -ci and/or -co options to automatically limit the number of packets captured by fw monitor -F just in case you do make a mistake.

I suppose you could take the older tcpdump binary from a R80.20 system and copy it over to a Gaia 3.10 system and try to run it, but that is unlikely to work and most definitely not supported.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

Aviad_Hadarian · ‎2021-02-27

@Timothy_Hall thank you for you kind words, I don't think it too problematic to add interface names if such thing is available in libpcap, will look

Daniel_ · ‎2021-02-28

Thanks to take a look to this. And an other RFE 😉

Can you add a fileinfo in the pcap file (as f5 does)?

This would also help TAC to interpret captures.

Aviad_Hadarian · ‎2021-03-01

That's Nice but will require special extension in wireshark

Daniel_ · ‎2021-03-01

I'm running Wireshark 3.4.3 and didn't installed any plugins (AFAIK)...

tcpdump any interface didn't show interface in R80.40

How to make vpn gateway have capability to foward ...

Basic application control question

Prohibit/Block Identity Agent traffic on connected...

Switch and bond configuration

Cluster hardware core count change - prestaging or...