How to take the capture as pcap/wireshark formart in Checkpoint?
How to take the capture as pcap/wireshark formart in Checkpoint?
Let's say you need to view the capture in wireshark. In that case it needs to be exported. In order to export the capture we need to save it.
Syntx:
tcpdump -nni interface_name host IP_address_here -w/location/name.pcap
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5 -w/var/log/raj.pcap
tcpdump: listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[Expert@fw-checkpoint-raj:0]# pwd
/home/_locl
[Expert@fw-checkpoint-raj:0]# cd /var/log
[Expert@fw-checkpoint-raj:0]# pwd
/var/log
[Expert@fw-checkpoint-raj:0]# ls -lr | grep raj
-rw-rw---- 1 admin users 248 Jan 14 09:21 raj.pcap
By default the capture size is 96 bytes.
If you need to capture with more size then specify the buffer size with "-s"
tcpdump -nni eth2.2 host 10.197.112.5 -w/var/log/raj.pcap -s 1024
tcpdump: listening on eth2.2, link-type EN10MB (Ethernet), capture size 1024 bytes
1 packets captured
2 packets received by filter
0 packets dropped by kernel
If you just need to save the capture in local directory and not in logs, then use this command:
tcpdump -nni eth2.2 host 10.97.112.161 -w raj2.pcap -s 1024
How to delete your saved capture file?
go to the location where your capture is saved. verify your current location by "pwd" command
Then make sure you have your capture file there:
ls -lr | grep raj2.pcap
If your file is listed there, then remove it with "rm raj2.pcap" command
Let's say you need to view the capture in wireshark. In that case it needs to be exported. In order to export the capture we need to save it.
Syntx:
tcpdump -nni interface_name host IP_address_here -w/location/name.pcap
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5 -w/var/log/raj.pcap
tcpdump: listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[Expert@fw-checkpoint-raj:0]# pwd
/home/_locl
[Expert@fw-checkpoint-raj:0]# cd /var/log
[Expert@fw-checkpoint-raj:0]# pwd
/var/log
[Expert@fw-checkpoint-raj:0]# ls -lr | grep raj
-rw-rw---- 1 admin users 248 Jan 14 09:21 raj.pcap
By default the capture size is 96 bytes.
If you need to capture with more size then specify the buffer size with "-s"
tcpdump -nni eth2.2 host 10.197.112.5 -w/var/log/raj.pcap -s 1024
tcpdump: listening on eth2.2, link-type EN10MB (Ethernet), capture size 1024 bytes
1 packets captured
2 packets received by filter
0 packets dropped by kernel
If you just need to save the capture in local directory and not in logs, then use this command:
tcpdump -nni eth2.2 host 10.97.112.161 -w raj2.pcap -s 1024
How to delete your saved capture file?
go to the location where your capture is saved. verify your current location by "pwd" command
Then make sure you have your capture file there:
ls -lr | grep raj2.pcap
If your file is listed there, then remove it with "rm raj2.pcap" command