cppcap: alternative for tcpdump

Check Point released a new tool called CPPCAP as an alternative for the well known Linux tool tcpdump. In sk141412 they explain that tcpdump causes a significant increase in CPU usage which will impact performance of the device.

Therefore Check Point created CPPCAP that integrates better with their Gaia OS. CPPCAP is released as a RPM package (at this moment) for the following versions:

  • R76SP.50
  • R77.30
  • R80.10
  • R80.20

CPPCAP will not run on 32-bit Gaia OS. You must enable 64-bit kernel to be able to use it.

SecureXL does not need to be turned off before using CPPCAP as stated here on Check Mates.

To show all available options of the CPPCAP tool run:

[Expert@admin]# cppcap -h 

 -vV VSID                   lowercase to capture only from specific VSID, uppercase for all exec pt VSID
 -iI DEVIC E lowercase to capture only from specific DEVICE, uppercase for all execpt DEVICE         
 -d DIR capture specific direction (‘in’ for inbound, ‘out’ for outbound)
 -f “EXPR” filter specific expression, for syntax, see pcap-filter(7)
 -o FILE save capture to a FILE
 -c NUM capture up to NUM bytes of frame (default 96, ‘0’ for any size)
 -p NUM capture NUM frames before stopping
 -b NUM capture NUM bytes before stopping
 -D verbose datalink layer
 -N verbose network layer
 -T verbose transport layer
 -Q omit time from output

For examples of filters you can read the pcap-filter manpage here.

Links to the RPM packages of CPPCAP can be found in sk141412.

Your comments

  • 7

You may also like...