CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 13 of 13

Thread: cpview to find out the source and destination that uses the most BW

  1. #1
    Join Date
    2006-09-26
    Posts
    3,190
    Rep Power
    16

    Default cpview to find out the source and destination that uses the most BW

    Below is my cpview output. I can see 772Mbps but I would like to find out the source and destination IPs that use the most BW. Where do I find that in cpview? I look under network--> protocols and connections but found nothing. Where do I find that in cpview?

    |---------------------------------------------------------------------------------------------------------------------|
    | CPVIEW.Overview 24Sep2018 13:46:37 |
    |---------------------------------------------------------------------------------------------------------------------|
    | Overview SysInfo Network CPU Software-blades Advanced |
    |---------------------------------------------------------------------------------------------------------------------|
    | CPU: |
    | |
    | Num of CPUs: 8 |
    | |
    | CPU Used |
    | 0 51% |
    | 4 2% |
    | 1 1% |
    | ------------------------------------------------------------------------------------------------------------------- |
    | Memory: |
    | |
    | Total MB Used MB Free MB |
    | Physical 32,044 9,624 22,420 |
    | FW Kernel 23,937 1,130 22,807 |
    | Swap 33,549 0 33,549 |
    | ------------------------------------------------------------------------------------------------------------------- |
    | Network: |
    | |
    | Bits/sec 772M |

    | Packets/sec 91,702 |
    | Connections/sec 59 |
    | Concurrent connections 4,548 |
    | ------------------------------------------------------------------------------------------------------------------- |
    | Disk space (top 3 used partitions): |
    | |
    | Partition Total MB Used MB Free MB |
    | /boot 288 155 118 |
    | / 251,983 14,212 224,970 |
    | /var/log 297,580 3,019 279,200 |
    | ------------------------------------------------------------------------------------------------------------------- |
    | Events: |
    | |
    | # of monitored daemons crashes since last cpstart 0 |
    | |
    |---------------------------------------------------------------------------------------------------------------------|

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    12

    Default Re: cpview to find out the source and destination that uses the most BW

    Network - > Top-Connectiuons?
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    2006-09-26
    Posts
    3,190
    Rep Power
    16

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by msjouw View Post
    Network - > Top-Connectiuons?
    I already tried that before asking the forum :-(. I know a source and destination that uses 700Mbps, out of the 772Mbps shown in cpview but it does not show up in top connections :-(

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by cciesec2006 View Post
    I already tried that before asking the forum :-(. I know a source and destination that uses 700Mbps, out of the 772Mbps shown in cpview but it does not show up in top connections :-(
    Sounds like you may have an elephant flow, check out sk122013 (Handling heavy connections in CoreXL) for an alternative way to identify what it is via the "Advanced...CoreXL...Instances" screen of cpview.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2006-09-26
    Posts
    3,190
    Rep Power
    16

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by ShadowPeak.com View Post
    Sounds like you may have an elephant flow, check out sk122013 (Handling heavy connections in CoreXL) for an alternative way to identify what it is via the "Advanced...CoreXL...Instances" screen of cpview.
    How is the sk122013 going to help me? I am only looking for the connections that use the most BW, not fixing it. is it possible with cpview?

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by cciesec2006 View Post
    How is the sk122013 going to help me? I am only looking for the connections that use the most BW, not fixing it. is it possible with cpview?
    If you notice a particular Firewall Worker (kernel instance) is overloaded this sk shows you how to identify the connection attributes of the elephant flow causing it.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  7. #7
    Join Date
    2006-09-26
    Posts
    3,190
    Rep Power
    16

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by ShadowPeak.com View Post
    If you notice a particular Firewall Worker (kernel instance) is overloaded this sk shows you how to identify the connection attributes of the elephant flow causing it.
    I still do not understand what you're trying to get at. Let me explain again.

    I have sqlnet connection between host 1.1.1.1/24 and host 2.2.2.2/24. It consumes about 800Mbps.

    When I run cpview to check for top protocols or top connections, I am NOT seeing this connections. How do I go about seeing this connection as the one eating the most BW?

    the sk you provided, I've read it multiple times and it does NOT show me how to go about finding out what I am looking for.

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by cciesec2006 View Post
    sqlnet connection
    Are you sure this is a single connection and not lots of little ones? Top Connections only shows the top individual connections that consume the most bandwidth, it does not show a summary of which pairs of IP addresses are exchanging the most traffic between them. If you want that kind of info try the "Top Talkers" script here:

    https://dkcheckpoint.blogspot.com/20...rs-script.html

    Note that SecureXL does need to be enabled for this script to work.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  9. #9
    Join Date
    2006-09-26
    Posts
    3,190
    Rep Power
    16

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by ShadowPeak.com View Post
    Are you sure this is a single connection and not lots of little ones? Top Connections only shows the top individual connections that consume the most bandwidth, it does not show a summary of which pairs of IP addresses are exchanging the most traffic between them. If you want that kind of info try the "Top Talkers" script here:

    https://dkcheckpoint.blogspot.com/20...rs-script.html

    Note that SecureXL does need to be enabled for this script to work.
    Yes, I am 100% positively. I confirmed it with tcpdump, only a single connection, TWICE.

    If I disabled SecureXL, it will make the problem worse right? I don't think I want to do that in my production environment.

    In other words, cpview is broken, can't even perform a simple task :-(

  10. #10
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by cciesec2006 View Post
    Yes, I am 100% positively. I confirmed it with tcpdump, only a single connection, TWICE.

    If I disabled SecureXL, it will make the problem worse right? I don't think I want to do that in my production environment.

    In other words, cpview is broken, can't even perform a simple task :-(
    Please read my last post again concerning SecureXL.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  11. #11
    Join Date
    2006-09-26
    Posts
    3,190
    Rep Power
    16

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by ShadowPeak.com View Post
    Please read my last post again concerning SecureXL.
    sorry, it's been a long day.

    I looked at the script and I know the author of the script. He used to work for Nokia TAC in Otawa :-)

    how is the script going to help me here? It says nothing about the connections that eat up the most BW

  12. #12
    Join Date
    2010-07-16
    Posts
    14
    Rep Power
    0

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by cciesec2006 View Post
    sorry, it's been a long day.

    I looked at the script and I know the author of the script. He used to work for Nokia TAC in Otawa :-)

    how is the script going to help me here? It says nothing about the connections that eat up the most BW
    "1. Display the top 50 Source/Destination combos"
    "4. Display the top 50 Sources"
    "5. Display the top 50 Destinations"

    These should help in the "find top BW usage" search?

  13. #13
    Join Date
    2014-10-03
    Posts
    13
    Rep Power
    0

    Default Re: cpview to find out the source and destination that uses the most BW

    Quote Originally Posted by mrbob View Post
    "1. Display the top 50 Source/Destination combos"
    "4. Display the top 50 Sources"
    "5. Display the top 50 Destinations"

    These should help in the "find top BW usage" search?
    This will crawl the connection table count all sources and destinations, and display the IP's with most entries in that table. No matter if they are idle, or transfering at 10GBit/s.

Similar Threads

  1. Find polices with specific source, destination, ports etc
    By allwynmascar in forum Firewall Policy Management Best Practices
    Replies: 0
    Last Post: 2016-04-20, 09:59
  2. Source & destination NAT + VPN troubles.
    By tnkflx in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2008-09-18, 09:06
  3. Source and destination NAT
    By vijayant in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2007-06-04, 06:48
  4. source and destination IPs equal.
    By dnewman in forum Voice over IP Blade (VoIP)
    Replies: 2
    Last Post: 2007-02-02, 05:47
  5. Translating Both Source And Destination IP
    By roadrunner in forum NAT (Network Address Translation)
    Replies: 0
    Last Post: 2005-08-13, 15:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •