Multi-Blade Traffic Capture (Tcpdump -Mcap, Tcpdump -View) - Check Point MAESTRO R80.20SP Administration Manual

Multi-blade Traffic Capture (tcpdump -mcap, tcpdump -view)

Description
Use this command in Gaia gClish to see TCP/IP and other packets sent and received by all Security
Appliances in the Security Group.
This release includes these Security Group-specific enhancements to the standard tcpdump utility:
tcpdump -mcap - Gets packets from specified Security Appliances and saves them to a capture
n
file.
tcpdump -view - Shows packets in the specified capture file, including the Security Appliance ID
n
from the packet captured packet.
Syntax
> tcpdump [-b <SGM_IDs>] -mcap -w <capture_path> [<tcpdump_ops>]
> tcpdump -view -r <capture_path> [<tcpdump_ops>]
Note - To stop the capture and save the data to the capture file, press
Parameters
Parameter Description
Applies to Security Appliances as specified by <SGM_IDs> .
-b <SGM_
IDs>
<SGM_IDs> can be:
n
n
n
n
n
n
-w Saves full file path.
<capture_ In addition to the merged capture file, for each Security Appliance capture files are
created in the same directory, suffixed by their Security Appliance ID.
path>
Reads the specified traffic capture file.
-r
Regular tcpdump output, prefixed by Security Appliance ID of the processing Security
<capture_
Appliance ID.
path>
<tcpdump_
Standard
ops>
No <SGM_IDs > specified, or all - Applies to all Security Appliances and
Chassis
One Security Appliance (for example, 1_1 )
A comma-separated list of Security Appliances (for example, 1_1,1_4 )
A range of Security Appliances (for example, 1_1-1_4 )
One Chassis ( chassis1 , or chassis2 )
The active Chassis ( chassis_active )
tcpdump
parameters (see the tcpdump manual page).
Multi-blade Traffic Capture (tcpdump -mcap, tcpdump -view)
Check Point Maestro R80.20SP Administration Guide | 93
CTRL+C at the prompt.