Search This Blog

Sunday, January 13, 2019

How to take the capture as pcap/wireshark formart in Checkpoint?


How to take the capture as pcap/wireshark formart in Checkpoint?

Let's say you need to view the capture in wireshark. In that case it needs to be exported. In order to export the capture we need to save it.
 
Syntx:
tcpdump -nni interface_name host IP_address_here -w/location/name.pcap
 
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5 -w/var/log/raj.pcap
tcpdump: listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[Expert@fw-checkpoint-raj:0]# pwd
/home/_locl
[Expert@fw-checkpoint-raj:0]# cd /var/log
[Expert@fw-checkpoint-raj:0]# pwd
/var/log

[Expert@fw-checkpoint-raj:0]# ls -lr | grep raj
-rw-rw----  1 admin users        248 Jan 14 09:21 raj.pcap 



By default the capture size is 96 bytes.

If you need to capture with more size then specify the buffer size with "-s"

 tcpdump -nni eth2.2 host 10.197.112.5 -w/var/log/raj.pcap -s 1024
tcpdump: listening on eth2.2, link-type EN10MB (Ethernet), capture size 1024 bytes
1 packets captured
2 packets received by filter
0 packets dropped by kernel



If you just need to save the capture in local directory and not in logs, then use this command:

tcpdump -nni eth2.2 host 10.97.112.161 -w raj2.pcap -s 1024

How to delete your saved capture file?
go to the location where your capture is saved. verify your current location by "pwd" command

Then make sure you have your capture file there:
ls -lr | grep raj2.pcap


If your file is listed there, then remove it with "rm raj2.pcap" command

 

How to apply packet capture in Checkpoint?


How to apply packet capture in checkpoint? / How to apply tcpdump in Checkpoint firewall?

For those of you who have been working on Cisco ASA, packet capture has been awesome thing so far and you really wish that it is available in every firewall.

Well, it gets much easier with Checkpoint!!

Really?

Let's see then.....

Like ASA, first thing we need to know is "On which Interface" we need a packet capture.

How do you figure this out?

Well, we will either take capture on "ingress" interface or "egress" interface, choice is yours and depend upon your troubleshooting approach.

So let's say I want to see if the packets are first reaching my firewall or not. In that case I will take a capture/tcpdump on "ingress" interface. To determine your ingress interface you need to check routing table.

Example:

Source IP: 10.197.112.5
Destination IP: 18.197.74.74

Check the route for 10.197.112.5

fw-checkpoint-raj> show route destination 10.197.112.5
Codes: C - Connected, S - Static, R - RIP, B - BGP,
       O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
       A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
       U - Unreachable, i - Inactive

C         10.197.112.0/24      is directly connected, eth2.2
                                  Inside_Lan

Now we know that this network is behind eth2.2. We can apply tcpdump on eth2.2


In order to collect a packet capture/tcpdump you will need to be in "Expert" mode.

fw-checkpoint-raj>expert
Enter expert password: type your expert password here



[Expert@fw-checkpoint-raj:0]#

tcpdump -nni <interface name> host <source/destination ip>


[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:46:55.227674 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148513804:2148514202(398) ack 708108218 win 254
04:46:55.260477 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1:498(497) ack 398 win 979
04:46:55.474618 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 252

Once you hit enter after typing tcpdump command, firewall starts listening for any traffic on that interface.

If you know exact source and destination IP then you can apply more specific capture/tcpdump

Capture traffic between two exact IPs:
=========================================================
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5 and host 18.197.74.74
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:56:39.575612 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148545757:2148546155(398) ack 708114785 win 252
04:56:39.609196 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1:498(497) ack 398 win 979
04:56:39.822522 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 256

3 packets captured
6 packets received by filter
0 packets dropped by kernel
========================================================


You can also capture traffic between two IPs by specifying who is source and who is destination:
========================================================
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 src 10.197.112.5 and dst 18.197.74.74
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:58:26.653461 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148546553:2148546953(400) ack 708115779 win 254
04:58:26.900437 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 252

2 packets captured
4 packets received by filter
0 packets dropped by kernel


Reversing the source and destination, just to show you the difference:

[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 src 18.197.74.74 and dst 10.197.112.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:59:18.728787 IP 18.197.74.74.443 > 10.197.112.5.59422: P 708116276:708116773(497) ack 2148547353 win 979
05:00:12.766360 IP 18.197.74.74.443 > 10.197.112.5.59422: P 497:994(497) ack 401 win 979
05:01:07.810321 IP 18.197.74.74.443 > 10.197.112.5.59422: P 994:1491(497) ack 801 win 979
05:01:16.766112 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1491:1750(259) ack 1065 win 979