I suppose you could take the older tcpdump binary from a R80.20 system and copy it over to a Gaia 3.10 system and try to run it, but that is unlikely to work and most definitely not supported.By Date By Thread Re: How to use specific protocol filters in pcap However be sure to read my stern warning in the presentation about how fw monitor -F can blast you with an unfiltered capture if you make a mistake with your filter, so double-check your filtering syntax and always use the -ci and/or -co options to automatically limit the number of packets captured by fw monitor -F just in case you do make a mistake. You'll need to set up Wireshark to display this properly as described here: sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet.
It would be a very interesting feature if cppcap had an option to output its captures in pcapng format (which would include interface name information embedded in the capture) instead of standard pcap format, so I'm going to tag cppcap's author also got a shout out in my 2021 CPX presentation.Īs a workaround you could use fw monitor -F, which can capture accelerated traffic and has the interface name information along with capture points embedded in its capture file output in the "snoop" file format, which does support including the interface name. So without the -P hack you are basically stuck, and cannot see interface information in Wireshark with pcap captures generated by cppcap/tcpdump. pcapng (which is still experimental) will address this by including interface name information right in the capture file. Using the hacked-in -P option embedded the interface name into the pcap file in what I assume is an unsupported way, as seen in your screenshot. If a pcap file created by tcpdump/cppcap is replayed on a different system or viewed in Wireshark, the interface name information is not supported by the pcap format at all, and is simply not available. If doing a live capture or a replay with version 4.9.9, tcpdump can only display the interface information because it is looking at the live interface configuration of the system it is running on, and can calculate the interface name for display. You can't see the interface name in Wireshark because it is not embedded in the pcap file in the first place. I need something like this (captured with "tcpdump -Penni any" on R80.20)Īny ideas to get interfaces in text output with tcpdump and also in capture file (for wireshark) back? With cppcap you can get it in text output but not in capture/wireshark. I used "-Q inout" but I didn't get the interfaces.
0 kommentar(er)
