Solved: TCPDUMP R80.10

Sven_Glock · ‎2018-03-24

Hi Community,

can someone explain me what happens to Penni?

Penni was my regular parameter set I used on R77.30 when I wanted to see the interface names in a tcpdump.

On R80.10 this is not working anymore:

[Expert@gateway:0]# tcpdump -Penni any port 22
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
*** buffer overflow detected ***: tcpdump terminated
======= Backtrace: =========
[cutted]
======= Memory map: ========
[cutted]
Aborted

Is this a bug, a feature or layer-8 problem?

Thanks in advance.

Regards

Sven

PS: I know fw monitor, but I only want to use it if necessary

Sven_Glock · ‎2018-10-04

The response to my service reqest is a fix implemented in the lastest JHF ongoing take 151 released today.

View solution in original post

Kim_Moberg · ‎2018-03-24

Sven,

I dont recall -Penni is an interface or sub-command to tcpdump.

Shouldnt it be -i Penni??

Like this:

tcpdump -i Penni any port 22

// Kim

Best Regards
Kim

Sven_Glock · ‎2018-03-25

Hi Kim,

Penni is the parameter set. The interface is any. The "-i" is already part of "Penni".

Cheers

Sven

Timothy_Hall · ‎2018-03-24

Reported version of tcpdump/libpcap did not change between R77.30 and R80.10 (3.9.4/0.9.4), at least between R77.30 vanilla and R80.10 jumbo HFA take 42 which is what I have readily available in my lab. But I am seeing the same problem you are with tcpdump crashing on R80.10 when you use the -Penni options.

Taking a closer look at the tcpdump crash with strace in R80.10:

recvfrom(8, "E\0\0004\37\272@\0\200\6VS\300\0\2\1\300\0\2\265. \0\26"..., 80, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if2, pkttype=PACKET_HOST, addr(6)={1, 005056c00001}, [18]) = 52
access("/proc/net", R_OK)               = 0
access("/proc/net/unix", R_OK)          = 0
socket(PF_FILE, SOCK_DGRAM, 0)          = 9
ioctl(9, SIOCGIFNAME, {ifr_index=2, ifr_name="eth0"}) = 0
close(9)                                = 0
open("/dev/tty", O_RDWR|O_NONBLOCK|O_NOCTTY) = 9
writev(9, [{"*** buffer overflow detected ***"..., 34}, {"tcpdump", 7}, {" terminated\n", 12}], 3) = 53

Even though the reported tcpdump version number was not changed in R80.10, I'm guessing that Check Point must have ported in the tcpdump fixes mentioned here: Multiple Vulnerabilities in tcpdump - SANS Internet Storm Center and the fixes are running afoul of the interface determination mechanism used by tcpdump when -P is invoked.

Curious thing is while the -P option (capitalized) is shown as a valid option by the tcpdump usage statement, it does not appear to be officially documented anywhere that I can find.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Sven_Glock · ‎2018-03-25

Hi Tim,

thanks for your investigation.

With having this information it is worth to open an SR.

I will keep you posted!

Sven

Sven_Glock · ‎2018-10-04

The response to my service reqest is a fix implemented in the lastest JHF ongoing take 151 released today.

Timothy_Hall · ‎2018-10-23

This fix for tcpdump is also now available in a GA Jumbo HFA, take 154.

R80.10: New Jumbo Hotfix (Take 154) GA-Release

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Are you a member of CheckMates?

TCPDUMP R80.10