This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_
Advisor
‎2021-02-26 04:03 AM

tcpdump any interface didn't show interface in R80.40

Hello Experts,

with pre R80.40 systems I captured with

tcpdump -Penni any <pcap-filter>

and got the interface:

12:19:15.061879 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 443932:444192(260) ack 1769 win 47888
12:19:15.061883 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 443932:444192(260) ack 1769 win 47888
12:19:15.062010 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444192:444452(260) ack 1769 win 47888
12:19:15.062014 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444192:444452(260) ack 1769 win 47888
12:19:15.062141 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444452:444712(260) ack 1769 win 47888
12:19:15.062145 Mgmt[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444452:444712(260) ack 1769 win 47888
12:19:15.062277 Mgmt.600[out]: 10.238.1.1.22 > 10.238.0.4.52825: P 444712:444972(260) ack 1769 win 47888

With R80.40 "-P" is not possible. I used "-Q inout" but I didn't get the interfaces.

With cppcap you can get it in text output but not in capture/wireshark.

I need something like this (captured with "tcpdump -Penni any" on R80.20)

wireshark.png

Any ideas to get interfaces in text output with tcpdump and also in capture file (for wireshark) back?

Bye

0 Kudos
7 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-02-26 06:32 AM

As mentioned in my Max Capture class, the tcpdump 3.9.4 version bundled with Gaia 2.6.18 had the -P flag directly hacked in to the tcpdump binary by Check Point to display the interface name in CLI output.

When Gaia 3.10 was introduced the version of tcpdump was updated to version 4.9.0 and the -P hack went away with it.  Will probably need to submit an RFE to get this put back in.  Alternatively it looks like tcpdump version 4.9.9 now natively supports displaying the interface name in the CLI output.  As a further motivator for an RFE, the tcpdump changelog (https://www.tcpdump.org/tcpdump-changes.txt) notes that literally dozens of CVE vulnerabilities were fixed in tcpdump versions 4.9.2 and 4.9.3, so perhaps R&D could just update tcpdump to 4.9.9 via Jumbo HFA and kill two birds with one stone.  Tagging @PhoneBoy for R&D coordination.

As an workaround for now just use cppcap (my preferred tool) or there is the "anydump" script:

https://sebastianhaas.de/anydump-release/

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Daniel_
Advisor
‎2021-02-26 07:26 AM
In response to Timothy_Hall

Thanks for the fast answer.

If "-P" is always build in: If I start (on R80.40)

tcpdump -s0 -w file.cap -enni any host <pcap-filter>

I can't see the interface information inside Wireshark as shown in my screenshot in my first post (and also not with my preferred tool cppcap 😏).

BTW: I read you presentation and didn't got the information that "-P" is build in 😮

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-02-26 08:04 AM
In response to Daniel_

You can't see the interface name in Wireshark because it is not embedded in the pcap file in the first place.  If doing a live capture or a replay with version 4.9.9, tcpdump can only display the interface information because it is looking at the live interface configuration of the system it is running on, and can calculate the interface name for display.  If a pcap file created by tcpdump/cppcap is replayed on a different system or viewed in Wireshark, the interface name information is not supported by the pcap format at all, and is simply not available.  Using the hacked-in -P option embedded the interface name into the pcap file in what I assume is an unsupported way, as seen in your screenshot.  pcapng (which is still experimental) will address this by including interface name information right in the capture file.

So without the -P hack you are basically stuck, and cannot see interface information in Wireshark with pcap captures generated by cppcap/tcpdump.  It would be a very interesting feature if cppcap had an option to output its captures in pcapng format (which would include interface name information embedded in the capture) instead of standard pcap format, so I'm going to tag cppcap's author @Aviad_Hadarian who also got a shout out in my 2021 CPX presentation.

As a workaround you could use fw monitor -F, which can capture accelerated traffic and has the interface name information along with capture points embedded in its capture file output in the "snoop" file format, which does support including the interface name.  You'll need to set up Wireshark to display this properly as described here: sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet.  However be sure to read my stern warning in the presentation about how fw monitor -F can blast you with an unfiltered capture if you make a mistake with your filter, so double-check your filtering syntax and always use the -ci and/or -co options to automatically limit the number of packets captured by fw monitor -F just in case you do make a mistake.

I suppose you could take the older tcpdump binary from a R80.20 system and copy it over to a Gaia 3.10 system and try to run it, but that is unlikely to work and most definitely not supported.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Aviad_Hadarian
Employee
Employee
‎2021-02-27 10:29 PM
In response to Timothy_Hall

@Timothy_Hall  thank you for you kind words, I don't think it too problematic to add interface names if such thing is available in libpcap, will look

0 Kudos
Daniel_
Advisor
‎2021-02-28 11:30 PM
In response to Aviad_Hadarian

Thanks to take a look to this. And an other RFE 😉

Can you add a fileinfo in the pcap file (as f5 does)?

fileinfo.png

This would also help TAC to interpret captures.

Aviad_Hadarian
Employee
Employee
‎2021-03-01 01:35 AM
In response to Daniel_

That's Nice but will require special extension in wireshark

0 Kudos
Daniel_
Advisor
‎2021-03-01 04:04 AM
In response to Aviad_Hadarian

I'm running Wireshark 3.4.3 and didn't installed any plugins (AFAIK)...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events