This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lithin_Mathew
Contributor
‎2020-09-23 11:36 PM

Location of IPS Packet Capture PCAP Files in Distributed Environment

We are having a distributed Checkpoint Environment with dedication Checkpoint Log Server, all logs from Gateway is configured to be send to the log server, in this case please confirm where the Packet capture logs are send and what is the location of logs in the log server.

Because as per the SK I was not able to find any files in the specified location of the gateway.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

  • In R80.10 - $FWDIR/log/forensics and /var/log/spool/mail/

Also verified $FWDIR/log/blob but still no files.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-09-26 02:20 PM

Maybe @TP_Master knows the exact location.
But I know there is also an API for this in the latest R80.40 JHF (and in R80.30 JHF 111+): https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Fetching-PCAP-via-API-in-R80-30-J...

0 Kudos
Shay_Hibah
Employee Alumnus
Employee Alumnus
‎2020-09-29 01:42 AM

Hi @Lithin_Mathew 

How are you?

Blob directory was not changed from R80.10.

I would like to veirfy with you:

1. Can you see reports/blobs when you use SmartConsole?

2. What commands did you use to look for the blobs when you connected to LS? did you use mcd to make sure the patch is changed based on the specific domain?

Lithin_Mathew
Contributor
‎2020-09-29 06:39 AM
In response to Shay_Hibah

Thank you @Shay_Hibah for checking on this.

My mistake, I had checked the wrong directory the last time, I had checked through CLI this time and was able to find the files in the blob folder.

But the format of the files are different its not .cap or .pcap, its localhost.blob, how can I change the format to .cap or .pcap so that I can view it in Wireshark. 

Example:

10.177.0.5__89.248.172.149_maildir_sent_new_time1601352097.mail-2498201990-3937761760.localhost.blob

Thank you in advance

 

 

 

 

 

 

 

0 Kudos