{"id":1122,"date":"2019-03-19T16:12:11","date_gmt":"2019-03-19T16:12:11","guid":{"rendered":"http:\/\/www.ankenbrand24.de\/?page_id=1122"},"modified":"2019-03-19T16:12:11","modified_gmt":"2019-03-19T16:12:11","slug":"tcpdump-vs-cppcap","status":"publish","type":"page","link":"https:\/\/www.ankenbrand24.de\/index.php\/articles\/check-point-articel\/performance-tuning\/tcpdump-vs-cppcap\/","title":{"rendered":"TCPDUMP vs. CPPCAP"},"content":{"rendered":"\n
\n\n\n\n

R80.x Performance Tuning and Debug \u2013 TCPDUMP vs. CPPCAP<\/span><\/h2>\n\n\n\n
\n\n\n\n\n\n\n
What is CPPCAP?<\/span><\/th>\n<\/tr>\n<\/thead>\n<\/table>\n

\"\"
TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Running TCPDUMP causes a significant increase in CPU usage and as a result impact the performance of the device. Even while filtering by specific interface or port still high CPU occurs. Check Point created a tool which works better with Gaia OS.<\/p>\n\n\n\n
CPPCAP<\/span><\/th>\n<\/tr>\n<\/thead>\n<\/table>\n

Tip 1<\/strong><\/span><\/p>\n

“CPPCAP” is a traffic capture tool which provides the most relevant outputs and is similar to Tcpdump. The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM.<\/p>\n

The good news! SecureXL can be enabled<\/strong><\/span> or disabled to capture with CPPCAP.<\/span><\/p>\n

You can download this tool for R77.30, R80.10 and R80.20. Get more details here: sk141412<\/a><\/p>\n

Instal and use:<\/p>\n

    \n
  1. Download the RPM package (sk141412<\/a>) and transfer the RPM package with winscp to appliance or open server.<\/li>\n
  2. Install the RPM using the following command:
    #<\/em> rpm -ivh –force –nodeps<\/strong> <RPM_FILE><\/em>
    #<\/em> \/etc\/init.d\/start_cppcap start<\/strong><\/li>\n
  3. Start cppcap to sniffing packages (for example on interface eth0 with parameter “N”):
    <\/em>
    On internal Interface (example “ping 8.8.8.8” from client IP 10.1.2.1 to server IP 8.8.8.8)<\/strong>:
    #<\/em> cppcap -i eth0 -N<\/span> |grep ICMP<\/strong><\/li>\n<\/ol>\n

    \"\"<\/strong><\/p>\n

    On external Interface<\/strong>:<\/em><\/p>\n

    # cppcap -i eth2 -N<\/span> |grep ICMP<\/strong><\/p>\n

    \"\"<\/p>\n

    Notes:<\/strong><\/p>\n

    – To have all verbos information add “-DNT” to the syntax to filter out specific interface or VS by using capital letters.
    – It will provide outputs on ARP IPV4\/IPV6, TCP and UDP traffic. Dynamic routing information will not show all verbose information.<\/p>\n

    Tip 2
    <\/strong><\/span><\/p>\n

    In and out (see red marked point in picture):<\/p>\n

    In<\/strong><\/span> – Is the incoming packet on the firewall on the inbound interface from the point of view of the first packet. It is simalary to fw monitor inspection point “i<\/strong>” client to server packet.<\/p>\n

    Out<\/strong> <\/span> – Is the outgoing packet on the firewall on the inbound interface from the point of view of the first packet. It is simalary to fw monitor inspection point “O<\/strong>” server to client packet.<\/p>\n

    On the outgoing interface (see blue marked point in picture), the view is exactly inverse.<\/p>\n

    Tip 3
    <\/strong><\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    Flag<\/strong><\/td>\nExplanation<\/strong><\/td>\n<\/tr>\n
    -vV VSID<\/td>\nlowercase to capture only from specific VSID, uppercase for all exec pt VSID<\/td>\n<\/tr>\n
    -iI DEVICE<\/td>\nlowercase to capture only from specific DEVICE, uppercase for all execpt DEVICE<\/td>\n<\/tr>\n
    -d DIR<\/td>\ncapture specific direction (‘in’ for inbound, ‘out’ for outbound)<\/td>\n<\/tr>\n
    -f “EXPR”<\/td>\nfilter specific expression, for syntax, see pcap-filter(7)<\/td>\n<\/tr>\n
    -o FILE<\/td>\nsave capture to a FILE<\/td>\n<\/tr>\n
    -c NUM<\/td>\ncapture up to NUM bytes of frame (default 96, ‘0’ for any size)<\/td>\n<\/tr>\n
    -p NUM<\/td>\ncapture NUM frames before stopping<\/td>\n<\/tr>\n
    -b NUM<\/td>\ncapture NUM bytes before stopping<\/td>\n<\/tr>\n
    -D<\/td>\nverbose datalink layer<\/td>\n<\/tr>\n
    -N<\/td>\nverbose network layer<\/td>\n<\/tr>\n
    -T<\/td>\nverbose transport layer<\/td>\n<\/tr>\n
    -Q<\/td>\nomit time from output<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Copyright by Heiko Ankenbrand 1994-2019<\/p>\n","protected":false},"excerpt":{"rendered":"

    R80.x Performance Tuning and Debug \u2013 TCPDUMP vs. CPPCAP What is CPPCAP? TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Running TCPDUMP causes a significant increase in CPU usage and as a result impact the performance of the device. Even while filtering by specific interface or port still<\/p>\n

    Read More \u2192<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":1068,"menu_order":5,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages\/1122"}],"collection":[{"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/comments?post=1122"}],"version-history":[{"count":1,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages\/1122\/revisions"}],"predecessor-version":[{"id":1123,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages\/1122\/revisions\/1123"}],"up":[{"embeddable":true,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages\/1068"}],"wp:attachment":[{"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/media?parent=1122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}