CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: tcpdump not matching what my sniffer sees

  1. #1
    Join Date
    2009-05-13
    Posts
    17
    Rep Power
    0

    Default tcpdump not matching what my sniffer sees

    I'm troubleshooting a problem about DiffServ packets getting stripped. I have a sniffer on my external switch, and mirrored my firewall port over to the sniffer. The sniffer sees the DiffServ field is blank.

    But when I do a tcpdump on that same external interface, and use wireshark to look at the packets, I see the DiffServ info is there.

    I was assuming CheckPoint is stripping DiffServ, but tcpdump seems to disagree.

    Is tcpdump captured after all processing? Is it essentially what gets put on the wire?

    Or is there a chance the firewall modifies the packet after tcpdump captured it?

    Thanks

  2. #2
    Join Date
    2009-07-20
    Posts
    227
    Rep Power
    11

    Default re: tcpdump not matching what my sniffer sees

    What I understand is, Traffic is moving towards outside from inside/dmz zone. And you can see Diffserv in the TCP dump and the same not in the Mirrored Ports?

    Basically FW service runs after TCP Dump(when traffic inside to outside). What I suggest is, You can run TCP dump in inside interface and then run in the external interface, so that we can confirm that CP is stripping it.

    inside<->(tcpdump)<->FW SERVICE<->(tcpdump)<->outside

    Regards,

    Manu B.
    http://manuadoor.blogspot.com
    Last edited by manuadoor; 2010-08-05 at 10:16.

  3. #3
    Join Date
    2009-05-13
    Posts
    17
    Rep Power
    0

    Default re: tcpdump not matching what my sniffer sees

    Thanks Manu, that was a good tip.

    Watching it from the outside interface confirms that the packets look correct.

    So it must be my Cisco switch modify the QoS packets. I'll start looking there.

    Thanks again..
    TL

  4. #4
    Join Date
    2009-07-20
    Posts
    227
    Rep Power
    11

    Default Re: tcpdump not matching what my sniffer sees

    Quote Originally Posted by tlmedia View Post
    Thanks Manu, that was a good tip.

    Watching it from the outside interface confirms that the packets look correct.

    So it must be my Cisco switch modify the QoS packets. I'll start looking there.

    Thanks again..
    TL
    :) happy to know that checkpoint is in safer side.. Once you resolved let me know what was the issue... :P
    Last edited by manuadoor; 2010-08-08 at 03:11.

  5. #5
    Join Date
    2008-12-18
    Location
    Norway
    Posts
    97
    Rep Power
    11

    Default Re: tcpdump not matching what my sniffer sees

    Quote Originally Posted by tlmedia View Post

    Is tcpdump captured after all processing? Is it essentially what gets put on the wire?

    Or is there a chance the firewall modifies the packet after tcpdump captured it?
    tcpdump on the firewall may not show all packets if the software acellerator is on (Secure XL), since it shortcuts around parts of the IP stack.
    If you turn off SecureXL it should show everything going to or coming from the network driver.
    Thus on incoming you should see things before the firewall processes it.

    Control SecureXL .

    fwaccel off
    fwaccel on
    fwaccel stat

    safe to use in production unless the load is high on the machine already.

    - Petter

  6. #6
    Join Date
    2006-05-20
    Posts
    52
    Rep Power
    14

    Default Re: tcpdump not matching what my sniffer sees

    Quote Originally Posted by tlmedia View Post
    So it must be my Cisco switch modify the QoS packets. I'll start looking there
    What model is the switch? I believe the higher-end/newer Cisco switches will discard DSCP unless you tell it to trust it. I don't know this with certainty, but if you're still experimenting with this, it might be worth adding:
    Code:
    mls qos
    int Gi1/0/1
     mls qos trust dscp
    where Gi1/0/1 is the interface that the firewall is connected to. Without this, I believe a L3 capable switch will discard the DSCP values.

    Or, if you'd rather, you can use 'mls qos trust cos' to trust the 802.1p values, which the switch will map to new DSCP values.

    My confidence on this is at about 45%, so I'd love to hear what you find out.

  7. #7
    Join Date
    2011-06-10
    Posts
    3
    Rep Power
    0

    Default Re: tcpdump not matching what my sniffer sees

    Quote Originally Posted by fdamstra View Post
    I believe a L3 capable switch will discard the DSCP values.

    Or, if you'd rather, you can use 'mls qos trust cos' to trust the 802.1p values, which the switch will map to new DSCP values.

    My confidence on this is at about 45%, so I'd love to hear what you find out.
    Yep it will probably discard the DSCP(diffserv) values if you don't trust it. CoS is only applicable if its a trunk (layer2) , ToS is layer3 and I assume you saw ToS values in the ip header when you used tcpdump.

    /P

    Edit: tcpdump -v -n -i interface ip and ip[1]!=0
    Last edited by PeterN; 2011-09-26 at 06:16.

Similar Threads

  1. client:Edge-T mac:00:08:da:72:13:a9 ip:x.x.x.x info:"Could not find matching portal
    By gjsiiger in forum Check Point UTM-1 Edge Appliances
    Replies: 2
    Last Post: 2010-01-07, 05:35
  2. Eventia Report v/s MRTG report not matching
    By jeetu_chaudhari in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 1
    Last Post: 2009-04-01, 19:48
  3. can you do tcpdump on utm appliances?
    By tdvit in forum Check Point UTM-1 Appliances
    Replies: 8
    Last Post: 2008-10-25, 11:31
  4. Replies: 0
    Last Post: 2005-08-14, 12:07
  5. How can I run a Packet Sniffer on the Firewall?
    By roadrunner in forum Miscellaneous
    Replies: 0
    Last Post: 2005-08-14, 11:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •