How to apply packet capture in Checkpoint?
How to apply packet capture in checkpoint? / How to apply tcpdump in Checkpoint firewall?
For those of you who have been working on Cisco ASA, packet capture has been awesome thing so far and you really wish that it is available in every firewall.
Well, it gets much easier with Checkpoint!!
Really?
Let's see then.....
Like ASA, first thing we need to know is "On which Interface" we need a packet capture.
How do you figure this out?
Well, we will either take capture on "ingress" interface or "egress" interface, choice is yours and depend upon your troubleshooting approach.
So let's say I want to see if the packets are first reaching my firewall or not. In that case I will take a capture/tcpdump on "ingress" interface. To determine your ingress interface you need to check routing table.
Example:
Source IP: 10.197.112.5
Destination IP: 18.197.74.74
Check the route for 10.197.112.5
fw-checkpoint-raj> show route destination 10.197.112.5
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive
C 10.197.112.0/24 is directly connected, eth2.2
Inside_Lan
Now we know that this network is behind eth2.2. We can apply tcpdump on eth2.2
In order to collect a packet capture/tcpdump you will need to be in "Expert" mode.
fw-checkpoint-raj>expert
Enter expert password: type your expert password here
[Expert@fw-checkpoint-raj:0]#
tcpdump -nni <interface name> host <source/destination ip>
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:46:55.227674 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148513804:2148514202(398) ack 708108218 win 254
04:46:55.260477 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1:498(497) ack 398 win 979
04:46:55.474618 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 252
Once you hit enter after typing tcpdump command, firewall starts listening for any traffic on that interface.
If you know exact source and destination IP then you can apply more specific capture/tcpdump
Capture traffic between two exact IPs:
=========================================================
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5 and host 18.197.74.74
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:56:39.575612 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148545757:2148546155(398) ack 708114785 win 252
04:56:39.609196 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1:498(497) ack 398 win 979
04:56:39.822522 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 256
3 packets captured
6 packets received by filter
0 packets dropped by kernel
========================================================
You can also capture traffic between two IPs by specifying who is source and who is destination:
========================================================
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 src 10.197.112.5 and dst 18.197.74.74
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:58:26.653461 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148546553:2148546953(400) ack 708115779 win 254
04:58:26.900437 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 252
2 packets captured
4 packets received by filter
0 packets dropped by kernel
Reversing the source and destination, just to show you the difference:
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 src 18.197.74.74 and dst 10.197.112.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:59:18.728787 IP 18.197.74.74.443 > 10.197.112.5.59422: P 708116276:708116773(497) ack 2148547353 win 979
05:00:12.766360 IP 18.197.74.74.443 > 10.197.112.5.59422: P 497:994(497) ack 401 win 979
05:01:07.810321 IP 18.197.74.74.443 > 10.197.112.5.59422: P 994:1491(497) ack 801 win 979
05:01:16.766112 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1491:1750(259) ack 1065 win 979
For those of you who have been working on Cisco ASA, packet capture has been awesome thing so far and you really wish that it is available in every firewall.
Well, it gets much easier with Checkpoint!!
Really?
Let's see then.....
Like ASA, first thing we need to know is "On which Interface" we need a packet capture.
How do you figure this out?
Well, we will either take capture on "ingress" interface or "egress" interface, choice is yours and depend upon your troubleshooting approach.
So let's say I want to see if the packets are first reaching my firewall or not. In that case I will take a capture/tcpdump on "ingress" interface. To determine your ingress interface you need to check routing table.
Example:
Source IP: 10.197.112.5
Destination IP: 18.197.74.74
Check the route for 10.197.112.5
fw-checkpoint-raj> show route destination 10.197.112.5
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive
C 10.197.112.0/24 is directly connected, eth2.2
Inside_Lan
Now we know that this network is behind eth2.2. We can apply tcpdump on eth2.2
In order to collect a packet capture/tcpdump you will need to be in "Expert" mode.
fw-checkpoint-raj>expert
Enter expert password: type your expert password here
[Expert@fw-checkpoint-raj:0]#
tcpdump -nni <interface name> host <source/destination ip>
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:46:55.227674 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148513804:2148514202(398) ack 708108218 win 254
04:46:55.260477 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1:498(497) ack 398 win 979
04:46:55.474618 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 252
Once you hit enter after typing tcpdump command, firewall starts listening for any traffic on that interface.
If you know exact source and destination IP then you can apply more specific capture/tcpdump
Capture traffic between two exact IPs:
=========================================================
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5 and host 18.197.74.74
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:56:39.575612 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148545757:2148546155(398) ack 708114785 win 252
04:56:39.609196 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1:498(497) ack 398 win 979
04:56:39.822522 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 256
3 packets captured
6 packets received by filter
0 packets dropped by kernel
========================================================
You can also capture traffic between two IPs by specifying who is source and who is destination:
========================================================
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 src 10.197.112.5 and dst 18.197.74.74
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:58:26.653461 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148546553:2148546953(400) ack 708115779 win 254
04:58:26.900437 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 252
2 packets captured
4 packets received by filter
0 packets dropped by kernel
Reversing the source and destination, just to show you the difference:
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 src 18.197.74.74 and dst 10.197.112.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:59:18.728787 IP 18.197.74.74.443 > 10.197.112.5.59422: P 708116276:708116773(497) ack 2148547353 win 979
05:00:12.766360 IP 18.197.74.74.443 > 10.197.112.5.59422: P 497:994(497) ack 401 win 979
05:01:07.810321 IP 18.197.74.74.443 > 10.197.112.5.59422: P 994:1491(497) ack 801 win 979
05:01:16.766112 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1491:1750(259) ack 1065 win 979
It's very good article👍
ReplyDeleteCan you please confirm how to check policy ,Bidirectional and Unidirectional
ReplyDelete