Multi-blade Traffic Capture (tcpdump)

Description

Use the "tcpdump" commands in Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. to capture and show traffic that is sent and received by Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Members in the Security Group.

These commands are enhancements to the standard tcpdump utility:

Command

Description

tcpdump -mcap

Saves packets from specified Security Group Members to a capture file.

tcpdump -view

Shows packets from the specified capture file, including the Security Group Member ID.

Note - Use the "g_tcpdump" command in the Expert mode.

Syntax

tcpdump [-b <SGM IDs>] -mcap -w <Output File> [<tcpdump Options>]

tcpdump -view -r <Input File> [<tcpdump Options>]

Note - To stop the capture and save the data to the capture file, press CTRL+C at the prompt.

Parameters

Parameter

Description

-b <SGM IDs>

Applies to Security Group Members as specified by the <SGM IDs>.

<SGM IDs> can be:

  • No <SGM IDs> specified, or all

    Applies to all Security Group Members and all Maestro Sites

  • One Security Group Member (for example, 1_1)

  • A comma-separated list of Security Group Members (for example, 1_1,1_4)

  • A range of Security Group Members (for example, 1_1-1_4)

  • In Dual Site, one Maestro Site (chassis1, or chassis2)

  • In Dual Site, the Active Maestro Site (chassis_active)

-w <Output File>

Saves the captured packets at the specified path in a file with the specified the name.

This output file contains captured packets from all specified Security Group Members.

In the same directory, the command saves additional output files for each Security Group Member.

The names of these additional files are: <SGM ID>_<Specified Name of Output File>

Example:

  • The specified full path is:

    /tmp/capture.cap

  • The additional capture files are:

    /tmp/1_1_capture.cap

    /tmp/1_2_capture.cap

    /tmp/1_3_capture.cap

    and so on

-r <Input File>

Reads the captured packets (in the tcpdump format) from the specified path from a file with the specified the name.

<tcpdump Options>

Standard tcpdump parameters.

See the tcpdump manual page - https://linux.die.net/man/8/tcpdump.

Examples

[Expert@MyChassis-ch0x-0x:0]# gclish

[Global] MyChassis-ch01-01 > tcpdump -mcap -w /tmp/capture.cap

Capturing packets...

Write "stop" and press enter to stop the packets capture process.

1_01:

tcpdump: listening on eth1-Mgmt4, link-type EN10MB (Ethernet), capture size 96 bytes

 

Clarification about this output:
At this moment, an administrator pressed the CTRL+C keys

 

stop

Received user request to stop the packets capture process.

 

Copying captured packets from all SGMs...

Merging captured packets from SGMs to /tmp/capture.cap...

Done.

[Global] MyChassis-ch01-01>

[Expert@MyChassis-ch0x-0x:0]# gclish

[Global] MyChassis-ch01-01 > tcpdump -b 1_1,1_3,2_1 -mcap -w /tmp/capture.cap -nnni eth1-Mgmt4

... ...

[Global] MyChassis-ch01-01 >

[Expert@MyChassis-ch0x-0x:0]# gclish

[Global] MyChassis-ch01-01> tcpdump -view -r /tmp/capture.cap

Reading from file /tmp/capture.cap, link-type EN10MB (Ethernet)

[1_3] 14:11:57.971587 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

[2_3] 14:12:07.625171 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

[2_3] 14:12:09.974195 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 37

[2_1] 14:12:09.989745 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

[2_3] 14:12:10.022995 IP 0.0.0.0.cp-cluster > 172.23.9.0.cp-cluster: UDP, length 32

... ...

[Global] MyChassis-ch01-01>