2/11/24, 9:51 PM cppcap - A Check Point Traffic Capture Tool

NS

Support Center / Search Results / Secureknowledge Details

My Favorites

Search questions, keywords or topics you need information about.

Solution ID: sk141412 Technical Level: Advanced

Email

cppcap - A Check Point Traffic Capture Tool

Product
Quantum Security Gateways, VSX
Version
R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20SP (EOL), R80.30 (EOL), R80.30SP
(EOL), R80.40, R81, R81.10, R81.20
OS
Gaia
Last Modified
2023-09-18

Symptoms
Running TCPDUMP causes a significant increase in CPU usage and as a result impact the
performance of the device.
Even while filtering by specific interface or port still high CPU occurs.

Cause
TCPDUMP is a Linux tool which at times is not suitable for use with Gaia. Its design might
increase CPU usage.

Solution
A New tool was created by Check Point which better fits Gaia OS - CPPCAP.
The tool is included in the R80.40 and higher versions.
'CPPCAP' is a traffic capture tool which provides the most relevant outputs and is similar to
TCPdump.

https://support.checkpoint.com/results/sk/sk141412 1/5
2/11/24, 9:51 PM cppcap - A Check Point Traffic Capture Tool

The tool is adjusted to Gaia operating system yet requires installation of an applicable RPM.
NS
Notes:

CPPCAP is supported only on 64 bit OS.

CPPCAP also captures accelerated traffic.

Downloads:

Version CPUSE Identifier / File Name Link

R80.40 The tool is built-in. N/A

R80.30 kernel 3.10 Check_point_R80.30_3.10_cp_pcap_sk141412.rpm (RPM)

R80.30SP kernel 3.10 Check_point_R80.30SP_cp_pcap_sk141412.rpm (RPM)

R80.30 kernel 2.6 Check_point_R80.30_cp_pcap_sk141412.rpm (RPM)

R80.20SP Check_point_R80.20SP_cp_pcap_sk141412.rpm (RPM)

R80.20 Check_point_R80.20_cp_pcap_sk141412.rpm (RPM)

R80.10 Check_point_R80.10_cp_pcap_sk141412.rpm (RPM)

R77.30 Check_point_R77.30_cp_pcap_sk141412.rpm (RPM)

R76SP.50 Check_point_R76SP.50_cp_pcap_sk141412.rpm (RPM)

Installation instruction:

1. Transfer the RPM package to the machine.

2. Install the RPM using the following command:

rpm -ivh --force --nodeps <RPM_FILE>
/etc/init.d/start_cppcap start

To uninstall the RPM:

/etc/init.d/start_cppcap stop
rpm -e cp_pcap

Note: Installation has no impact on performance, and does not require a reboot.

On Scalable Platforms:

Propagate the RPM to all appliances/blades in the setup (asg_cp2blades)

Install the RPM in all appliances (g_all <cmd>)
Note: cppcap does not support g_* notation, therefore, you need to move to the relevant
SGM module and run cppcap from it.
https://support.checkpoint.com/results/sk/sk141412 2/5
2/11/24, 9:51 PM cppcap - A Check Point Traffic Capture Tool

NS
Instructions for running the CPPCAP tool:

To show all available options of the CPPCAP tool run:

[Expert@admin]# cppcap -h

Flag Description

-v <VSID> capture only from specific VSID

-V <VSID> capture for all except VSID

-i <DEVICE> capture only from specific DEVICE

-I <DEVICE> capture for all except DEVICE

-d <DIR> capture specific direction ('in' for inbound, 'out' for outbound)

filter specific expression, for syntax, see pcap-filter(7)

-f "EXPR"
Note: Surround the expression with quotes.

-o <FILE> save capture to a FILE

-c <NUM> capture up to NUM bytes of frame (default 96, '0' for any size)

-p <NUM> capture NUM frames before stopping

-b <NUM> capture NUM bytes before stopping

-w <FMT> file size limit with rotation followed by 'K'ilo,'M'ega or 'G'iga. Default is bytes

-W <NUM> use up to NUM files with rotation (use with '-w')

-D verbose datalink layer

-N verbose network layer

-T verbose transport layer

-Q omit time from output

To have all verbose information add "-DNT" to the syntax to filter out specific interface or VS
by using capital letters.

https://support.checkpoint.com/results/sk/sk141412 3/5
2/11/24, 9:51 PM cppcap - A Check Point Traffic Capture Tool

Example of syntax usage for Security Gateway:

NS
[Expert@GW:0]# cppcap -f "arp and host XXX.XXX.XXX.XXX" -DNT -o /var/log/capture.pcap

Example of syntax usage for VSX, capturing traffic from VS 3:

[Expert@GW:0]# cppcap -f "icmp and host XXX.XXX.XXX.XXX" -v 3 -DNT -o /var/log/capture.pcap

Important notes:

It will provide outputs on ARP IPV4/IPV6, TCP and UDP traffic. Dynamic routing information will
not show all verbose information.

Example Output

cppcap -f "arp and host 172.30.1.3"

Article Properties
Access Level
Advanced

Date Created
2018-11-29

Last Modified
2023-09-18

Was this page helpful? Yes No

Haven't found what you're looking for?

https://support.checkpoint.com/results/sk/sk141412 4/5
2/11/24, 9:51 PM cppcap - A Check Point Traffic Capture Tool

Our customer support team is only a click away and ready to help you 24 hours a day.
NS

Open a Service Request

Follow Us

™
YOU DESERVE THE BEST SECURITY

©1994-2024 Check Point Software Technologies Ltd. All rights reserved.

Copyright | Privacy Policy

https://support.checkpoint.com/results/sk/sk141412 5/5