cppcap

Description

The CPPCAP (Check Point PCAP) is a traffic capture tool that provides the most relevant outputs and is similar to the Linux tool TCPdump.

Check Point created this tool to resolve various issues in the Linux tool TCPdump that significantly increased CPU load on Check Point Security Gateways.

Notes:

  • The CPPCAP tool also captures traffic that is accelerated in SecureXL.

  • For more information, see sk141412.

  • Also, refer to fw monitor.

Important:

  • You must run this command in the Expert mode.

  • On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

  • On Scalable Platforms, this command does not support the "g_all" command (nor the "g_cppcap" command).

    You must move to the context of each relevant Security Group Member and run the "cppcap" command.

Syntax

cppcap -h

cppcap

      -b <Limit of Bytes>

      -c {0 | <Limit of Bytes in Frame>}

      -d {in | out}

      -D

      -f "<Filter>"

      {-i <Interface> | -I <Interface>}

      -N

      -o <Output File> [-w <Limit of File Size>[{K|M|G}] [-W <Limit of Files>]]

      -p <Limit of Frames>

      -P

      -Q

      -T

      {-v <VSID to Include> | -V <VSID to Exclude>}

Parameters

You can specify several parameters.

Parameter

Description

-h

Shows the built-in help.

-b <Limit of Bytes>

Specifies the maximum number of bytes to capture before the tool stops.

-c {0 | <Limit of Bytes in Frame>}

Specifies the maximum number of bytes to capture in each frame.

Default: 96.

To remove the limit, enter the value 0 (zero).

-D

Captures verbose data for the Datalink Layer (Layer 2).

  • This parameter applies only if you do not use the parameter "-o" and show the captured traffic on the screen.

  • This parameter does not support dynamic routing protocols.

-d {in | out}

Captures traffic only in the specified direction:

  • in - Only inbound

  • out - Only outbound

By default, this tool captures traffic in both directions of the connection.

-f "<Filter>"

Specifies the filter expression for traffic capture.

See pcap-filter(7).

-i <Interface>

Captures traffic only in the specified interface.

This parameter is mutually exclusive with the parameter "-I <Interface>".

-I <Interface>

Captures traffic only in all interfaces, except the specified interface.

This parameter is mutually exclusive with the parameter "-i <Interface>".

-N

Captures verbose data for the Network Layer (Layer 3).

  • This parameter applies only if you do not use the parameter "-o" and show the captured traffic on the screen.

  • This parameter does not support dynamic routing protocols.

-o <Output File> [-w <Limit of Files> [-W <Limit of File Size>]

Specifies the path and the name of the output file.

  • If you do not specify this file, the tool shows the captured traffic on the screen.

  • To control the rotation of output files, use the parameters "-w <Limit of Files>" and "-W <Limit of Files>".

-P

Captures verbose processor ID.

-p <Limit of Frames>

Specifies the maximum number of frames to capture before the tool stops.

-Q

Remove the timestamp from the traffic capture.

This parameter applies only if you do not use the parameter "-o" and show the captured traffic on the screen.

-T

Captures verbose data for the Transport Layer (Layer 4).

  • This parameter applies only if you do not use the parameter "-o" and show the captured traffic on the screen.

  • This parameter does not support dynamic routing protocols.

-v <VSID to Include>

In the VSNext mode / Traditional VSX mode, captures traffic only in the specified Virtual Gateway / Virtual System.

This parameter is mutually exclusive with the parameter "-V <VSID to Exclude>".

-V <VSID to Exclude>

In the VSNext mode / Traditional VSX mode, captures traffic in all Virtual Gateways / Virtual Systems, except the specified Virtual Gateway / Virtual System.

This parameter is mutually exclusive with the parameter "-v <VSID to Exclude>".

-w <Limit of File Size>

-w <Limit of File Size>K

-w <Limit of File Size>M

-w <Limit of File Size>G

Specifies the maximum size of the output file before the tool rotates this file.

You can use this parameter "-w" only together with the parameter "-o <Output File>".

  • -w <Limit of File Size>

    Specifies the maximum size in bytes (this is the default).

  • -w <Limit of File Size>K

    Specifies the maximum size in kilobytes.

  • -w <Limit of File Size>M

    Specifies the maximum size in megabytes.

  • -w <Limit of File Size>G

    Specifies the maximum size in gigabytes.

-W <Limit of Files>

Specifies the maximum number of rotated output files.

You can use this parameter "-W" only together with the parameters "-o <Output File> -w <Limit of File Size>[{K|M|G}]".

Examples

  • Example 1 - Capture ARP and traffic with a specific host 192.168.3.57:

    cppcap -i eth0 -f "arp and host 192.168.3.57" -o /var/log/capture.pcap

  • Example 2 - Capture traffic with a specific host 192.168.3.57 - exclude SSH:

    cppcap -i eth0 -f "host 192.168.3.57 and not tcp port 22"

  • Example 3 - Capture ICMP with a specific host 192.168.3.57 - only in Virtual System 3:

    cppcap -i eth0 -f "icmp and host 192.168.3.57" -v 3 -o /var/log/capture.pcap

  • Example 4 - Capture traffic with a specific host 192.168.3.57 - save traffic in a maximum of 10 rotated output files, each file has a maximum size of 1 gigabyte:

    cppcap -i eth0 -f "host 192.168.3.57" -W 10 -w 1G -o /var/log/capture.pcap