Hello Jagadesh,
Thank you for the post, you can follow the below steps,
To record a pcap file with tcpdump:
Enable TCP dump:
1. tcpdump_on
2. run tcpdump as usual
3. tcpdump_off
Step 3 is very important, if it is not be done, the gateway performance might be affected until you will run this step (reboot will also stop it).
Record a pcap file with tcpdump:
Once you're logged in as the root user run the following command:
tcpdump -i ethX -s0 host 1.1.1.1 and port YYY -w /var/tmp/name.pcap
- Replace ethX with the interface number (eth1, eth2, eth3, etc). Do not use "any" when recording pcap files for support purposes as those cannot be used by us. You can check the interface that is monitoring the traffic by reviewing the gateway configuration via impcfg menu or using command: impctl gateway show
- The "-s0 " is crucial so packets do not get truncated by tcpdump's default configuration.
- Replace 1.1.1.1 with the relevant IP address (when applicable). This can be a client IP or a server IP address
- Replace YYY with the relevant port number (when applicable).
- The -w option indicates where the captured traffic should be captured to, in the example above it will be saved to a file called name.pcap under the /var/tmp folder.
Here is an example:
tcpdump -i eth2 host 10.10.10.1 and host 11.11.11.1 -w /var/tmp/case001.pcap
------------------------------
Syed Noor Fazal
Product Support Engineer
------------------------------
Original Message:
Sent: 08-24-2023 05:54
From: Jagadesh Kumar R
Subject: Gateway Pcap
Dear all,
I hope you're all doing well.
Whether it's possible to take PCAP from gateways, if possible, please let us know the procedure.
Gateway Model: X2020
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Jagadesh Kumar R
Information Security Group, Manager
The Karur Vysya Bank Limited
Karur
------------------------------