Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KlowikiOne
Employee
Employee

Using Wireshark to capture packets on Firewall using standard out.

Wireshark Live Capture From Check Point Firewall directly to your PC

   Note: If a Jump box is required in your environment you need to run command from the jump box.

Standard Warning applies, Do not run a capture of any kind in this manner on an loaded firewall. No CPU over 70% should be safe however after-hours is best. Theoretically this type of capture will reduce CPU utilization by relieving the need to write a file. No download needed. The capture will automatically close when the capture is stopped.  Ensure you have the bandwidth available to copy traffic. Filters also work in the command line.

ssh admin@192.168.199.22 "tcpdump -s0 -w - -i eth0" | "c:/program files\wireshark\wireshark.exe" -k -i -

I tried many different commands and command shells before I got the traffic redirects to work.

Cygwin  did not work

Mobaxterm did not work

Openssh in Cygwin did not work

Almost every search in google for using stdout to push firewall traffic to the PC for Wireshark to use stdin to see live traffic in real time did not work. I found no references to use the good old command window and openssh.

 

Openssh as the command line that will open an ssh session over port 22 to the firewall. Tcpdump to redirect the filtered traffic over the tcp encrypted ssh tunnel session on port 22 back to the workstation in raw format. Wireshark to receive the stdout via stdin and display to the screen in real time.  Amazing stuff.

(2)
20 Replies
PhoneBoy
Admin
Admin

This is quite clever and well done on figuring it out.
You mind if I move this to a more public space?

0 Kudos
KlowikiOne
Employee
Employee

I do not mind.  Time for public critique.  🙂

0 Kudos
PhoneBoy
Admin
Admin

Done, moved out to Security Gateways.

0 Kudos
Danny
Champion Champion
Champion

Thanks for this!

0 Kudos
the_rock
Legend
Legend

Good tip 👍

0 Kudos
Timothy_Hall
Champion
Champion

Yep a neat trick and well done!  Here is how I got to the same place awhile back through a different means but I found a number of caveats (the "timeout" one is more precautionary than anything as I saw some stuck tcpdump processes); here is the relevant lecture content along with the lab exercise from my Max Capture: Know Your Packets self-guided video:

live1.pnglive2.pnglive3.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
KlowikiOne
Employee
Employee

I added a ram disk as a destination for debugs and realized a 60% reduction in CPU utilization on SND cores compared to the same debug writing to disk. This was in a production environment at 3am in the morning but still worked well. Might be worth further testing for packet captures. 

Process Example is using the ram disk as a destination for tcpdump.

Process

#

#/*Make sure there is enough space. Memory swap does still work to disk if you go over the amount available. Ramfs does not support swap. */

#

#free -g

#

              total        used        free      shared  buff/cache   available

Mem:             15           8           0           1           6           5

Swap:            31           1          29

#

#/*  Create the location the new disk will mount.  */

#mkdir /mnt/rmdisk

#

#/*  Mount the ram as tmpfs and specify amount of ram to use and where to mount it. */

#

#mount -t tmpfs -o size=4g tmpfs /mnt/rmdisk

#

#/* You can cd into the directory and use it as a normal disk. Remember this is volatile memory and will be erased on reboot or dismount.  For Example: tcpdump. */

#

#tcpdump -enni any -w /mnt/rmdisk/dumpme.pcap

 

 

I am also investigating using tar files for tcpdump destinations for reducing CPU utilization. The whole Idea is to minimize the hardware interrupt for DMA for transfers from RAM to Disk. The process is slower than compressing data via cpu and a tar file. Sounded like a good idea anyway.

 

Thank you everyone for your replies and kudos. 

Timothy_Hall
Champion
Champion

One other way to reduce CPU load I was investigating for live Wireshark captures was using cppcap instead of tcpdump for these live captures, as cppcap doesn't seem to cause nearly as much overhead as tcpdump which is the tool's main intent.  However I confirmed with the tool's author @Aviad_Hadarian that cppcap does not have the option to output raw packets to the stdout, but if it did I think that would be very helpful to reduce live capture overhead.  Might it be possible for cppcap to write its raw packet output to a named pipe (FIFO) via -o instead of a regular file, then have some intermediate process such as dd read that named pipe, dump it to its stdout and directly into Wireshark's stdin?

Also apparently having stuck tcpdump processes executing in the background running up CPU load on the Dispatcher cores has occurred often enough to cause the following recent SK to be created: sk172886: Multiple ksoftirqd processes show high CPU use

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Bob_Zimmerman
Authority
Authority

Some OpenSSH options can help this work through jump servers in the path. Specifically, check out the ProxyJump option in ssh_config(5). It uses port forwarding on a jump server to let the client connect "directly" to the end destination. Notably, this doesn't expose any key material to the jump server in the path (unlike SSH agent forwarding).

A few other options can get similar results.

0 Kudos
KlowikiOne
Employee
Employee

Do you know of a way to start multiple tcpdumps in a single session? I would love to see checkpoint permit "screen" to operate.  I would also like to see and updated ethtool. 

 

0 Kudos
the_rock
Legend
Legend

@KlowikiOne Well, since you are a CP employee, your best bet for those things is to verify with R&D. Personally, I never heard of a way to start multiple tcpdumps in a single session.

0 Kudos
Timothy_Hall
Champion
Champion

If you need to capture on all interfaces with tcpdump, just use an interface name of "any" but be careful as that can impact the performance of the firewall.  You could also use cppcap with the "-I (interface)" option that will capture traffic on all interfaces except the named (interface) as opposed to using "-i" for the interface specification.  ethtool was updated in Gaia 3.10.  All this was covered in my 'Max Capture: Know Your Packets" course.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
KlowikiOne
Employee
Employee

I avoid using the any interface, however I do like cppcap option to capture on any interface except flag. 

0 Kudos
the_rock
Legend
Legend

Thats good point, BUT, sometimes, if you dont know what interface to use, you have to use any...

0 Kudos
the_rock
Legend
Legend

Check out site my colleague made while back on capturing with all major vendors, hope it helps you.

Andy

https://tcpdump101.com/#

0 Kudos
KlowikiOne
Employee
Employee

I actually use this site to formulate the command line to use with tcpdump and cppcap.  I find having customers use this is a helpful learning tool.  

0 Kudos
the_rock
Legend
Legend

My colleague made that site in order to actually help anyone struggling with packet captures and debugs...we all been there mate, whether we want to admit ot ir not 😂

0 Kudos
Bob_Zimmerman
Authority
Authority

There's not a good way to. Multiple SSH sessions are basically free, though (no more overhead than a single connection carrying all the same data).

0 Kudos
KlowikiOne
Employee
Employee

I am going to try to use cprid_util to spawn a tcpdump with a flag to close out the capture.  

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Very nice solution!

If you add "not port 22", you will no longer see your own ssh packages.

ssh admin@1.1.1.1 "tcpdump -s0 -w - -i eth0 not port 22" | "c:/program files\wireshark\wireshark.exe" -k -i -

➜ CCSM Elite, CCME, CCTE
(2)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events