Multi-blade Traffic Capture (tcpdump -mcap, tcpdump -view)

Description

Use this command in Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. to see TCP/IP and other packets sent and received by all Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Members in the Security Group.

This release includes these Security Group-specific enhancements to the standard tcpdump utility:

  • tcpdump -mcap - Gets packets from specified Security Group Members and saves them to a capture file.

  • tcpdump -view - Shows packets in the specified capture file, including the Security Group Member ID from the packet captured packet.

Note - Use the "g_tcpdump" command in the Expert mode.

Syntax

> tcpdump [-b <SGM_IDs>] -mcap -w <capture_path> [<tcpdump_ops>]

> tcpdump -view -r <capture_path> [<tcpdump_ops>]

Note - To stop the capture and save the data to the capture file, press CTRL+C at the prompt.

Parameters

Parameter

Description

-b <SGM_IDs>

Applies to Security Group Members as specified by <SGM_IDs>.

<SGM_IDs> can be:

  • No <SGM_IDs > specified, or all - Applies to all Security Group Members and Sites

  • One Security Group Member (for example, 1_1)

  • A comma-separated list of Security Group Members (for example, 1_1,1_4)

  • A range of Security Group Members (for example, 1_1-1_4)

  • In Dual Site, one Site (chassis1, or chassis2)

  • In Dual Site, the Active Site (chassis_active)

-w <capture_path>

Saves full file path.

In addition to the merged capture file, for each Security Group Member capture files are created in the same directory, suffixed by their Security Group Member ID.

-r <capture_path>

Reads the specified traffic capture file.

Regular tcpdump output, prefixed by Security Group Member ID of the processing Security Group Member ID.

<tcpdump_ops>

Standard tcpdump parameters (see the tcpdump manual page).

Below are some examples:

[Expert@MyChassis-ch01-01:0]# gclish

[Global] MyChassis-ch01-01 > tcpdump -mcap -w /tmp/capture

Capturing packets...

Write "stop" and press enter to stop the packets capture process.

1_01:

tcpdump: listening on eth1-Mgmt4, link-type EN10MB (Ethernet), capture size 96 bytes

stop

Received user request to stop the packets capture process.

 

Copying captured packets from all SGMs...

Merging captured packets from SGMs to /tmp/capture...

Done.

[Global] MyChassis-ch01-01>

[Expert@MyChassis-ch01-01:0]# gclish

[Global] MyChassis-ch01-01 > tcpdump -b 1_1,1_3,2_1 -mcap -w /tmp/capture -nnni eth1-Mgmt4

... ...

[Global] MyChassis-ch01-01 >

[Expert@MyChassis-ch01-01:0]# gclish

[Global] MyChassis-ch01-01> tcpdump -view -r /tmp/capture

Reading from file /tmp/capture, link-type EN10MB (Ethernet)

[1_3] 14:11:57.971587 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

[2_3] 14:12:07.625171 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

[2_3] 14:12:09.974195 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 37

[2_1] 14:12:09.989745 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

[2_3] 14:12:10.022995 IP 0.0.0.0.cp-cluster > 172.23.9.0.cp-cluster: UDP, length 32

... ...

[Global] MyChassis-ch01-01>