cppcap: alternative for tcpdump
Check Point released a new tool called CPPCAP as an alternative for the well known Linux tool tcpdump. In sk141412 they explain that tcpdump causes a significant increase in CPU usage which will impact performance of the device.
Therefore Check Point created CPPCAP that integrates better with their Gaia OS. CPPCAP is released as a RPM package (at this moment) for the following versions:
- R76SP.50
- R77.30
- R80.10
- R80.20
CPPCAP will not run on 32-bit Gaia OS. You must enable 64-bit kernel to be able to use it.
SecureXL does not need to be turned off before using CPPCAP as stated here on Check Mates.
To show all available options of the CPPCAP tool run:
[Expert@admin]# cppcap -h
Flag | Explanation |
-vV VSID | lowercase to capture only from specific VSID, uppercase for all exec pt VSID |
-iI DEVIC E | lowercase to capture only from specific DEVICE, uppercase for all execpt DEVICE |
-d DIR | capture specific direction (‘in’ for inbound, ‘out’ for outbound) |
-f “EXPR” | filter specific expression, for syntax, see pcap-filter(7) |
-o FILE | save capture to a FILE |
-c NUM | capture up to NUM bytes of frame (default 96, ‘0’ for any size) |
-p NUM | capture NUM frames before stopping |
-b NUM | capture NUM bytes before stopping |
-D | verbose datalink layer |
-N | verbose network layer |
-T | verbose transport layer |
-Q | omit time from output |
For examples of filters you can read the pcap-filter manpage here.
Links to the RPM packages of CPPCAP can be found in sk141412.