Help and How to Use

    Table of Contents
        1. Introduction
        2. tcpdump
        3. Fortigate
            3.1 Packet Capture
            3.2 Flow Debugs
        4. Check Point
            4.1 fw monitor
            4.2 cppcap
            4.3 kernel debugs
        5. Cisco
        6. CLI Commands
        7. Social Links
        8. Downloads
        9. .plan
        10. Donation Contributions
        11. Development Site

---

Introduction

    Packet Captures allow you to examine network traffic coming into or going out of an interface on a network. They are very useful for troubleshooting issues, verifying configurations, performing passive recon and learning how services work at a low network level. The issue with packet captures is that every vendor seems to have their own way of performing them which may not be standard between vendors. This in turn causes issues for people who work on multiple devices and are trying to troubleshoot them.

    This is why I created tcpdump101.com - To give back to the community to help people perform and learn more about packet captures. This tool is ad-free, payed out of my own pocket, written in plain client-side code (HTML, JavaScript, CSS) to be downloaded to run offline and is my way of helping out. If you find it useful, I'm always looking for feedback so use the social links on the left to let me know. Similarly, if you have suggestions or have found bugs, please let me know. If you are able to make a donation to help cover operating costs, that would be appreciated but it's not required.

tcpdump

    tcpdump is the defacto packet capturing utility found on almost every *nix distribution and is what most packet capture utilities are based off.

    tcpdump uses Berkeley Packet Filters (BPF) to create matches on the type of traffic you want to catpure. BPFs can be as simple or complex as you require them. Here are a few examples:

    host 1.2.3.4
    This will capture any packets to or from the host with the IPv4 address of 1.2.3.4

    host 1.2.3.4 and tcp
    This will capture any packets to or from the host with the IPv4 address of 1.2.3.4 AND only TCP (IP/6) traffic.

    host 1.2.3.4 and \(tcp or icmp\)
    This will capture any packets to or from the host with the IPv4 address of 1.2.3.4 AND either TCP (IP/6) or ICMP (IP/1) traffic.

    proto 6 and not port 22
    This will capture any packets on any IP address for TCP (IP/6) but will ignore anything on TCP/22.

    As you can see, the BPF mechanism for filtering can be as complex or as basic as you need.

Fortigate

    Fortigate Packet Capture

    To run a packet capture on a Fortigate, you must run the diagnose sniffer packet command. This command is required to tell the Fortigate that you want to run a packet capture. After the command, you must specify the interface. This can be a physical interface (port1), a VDOM Link interface (vd1-vd2), a virtual interface (ssl.tunnel) or "any" to capture on all interfaces. Fortigates support most of the BPF filters found in tcpdump placed inside single-tick (') quotes. Lastly, at the end, you can specify the detail level (1-6), the capture count and whether or not you want absolute or relative timestamps.

    Fortigate Flow Debugs

    Fortigates are able to show low-level detail on processed packets which can aid in troubleshooting issues. Any packet which arrives to a Fortigate for processing will be detailed when running this command. You can specify the IP version (4/6) as well as whether or not to enable the display of both the function name and the iprope information (peronsally suggested to turn these on). You must specify how many packets will be captured in the debug command. Since a lot of information will be printed out, I personally suggest keeping this number low for ease of readability.
    You can create filters on the right-hand side to narrow down the traffic you are interested in viewing but there is no error checking on these filters.
     To stop the trace session, run the command: diagnose debug disable

Check Point

    Check Point fw monitor

    Check Point's fw monitor utility will attach itself to all points of kernel inspection as a packet passes through the Check Point kernel. This is very useful as it will show you the packets as they enter the firewall and are processed through it. In addition, you will be given information as to which point of inspection the packet is currently passing which may aid in troubleshooting kernel paramaters and NAT issues. Here are the points of inspection:

(i) Inbound (from wire)

(I) Post Inbound (towards OS kernel)

(o) Outbound (from OS kernel)

(O) Post Outbound (towards wire)

(e) Pre-Encryption (R80 and above only)

(E) Post-Encryption (R80 and above only)

    The fw monitor utility does not support BPF filters and will error out if not entered according to the INSPECT code.

    Check Point cppcap

    As of R77.30, you can install the cppcap utility on your Check Point firewall to provide additional packet capture features which support BPF filters. Although not as in-depth as fw monitor, it is a very useful tool.

    Check Point Kernel Debugs

    It is sometimes required to perform Check Point kernel-level debugging on traffic flows. By using this module, you can capture these debugs for further review. On the right-hand side, you can enable and disable specific Check Point firewall kernel modules for debugging. The defaults are already set (highlighted in green) which match the Check Point kernel defaults.

Cisco

    Cisco ASA packet captures are required to be bound to an interface and the capture must have a name. Cisco offers two options for network-based packet captures: The real-time option which will display packets in real-time and the capture must be stopped with ^C (Control+C). The other is the Display Full Trace option which will print out all trace options for every packet received. This will take up a lot of display space and may cause high resource consumption so be careful when using this option.
    Cisco ASA packet captures are currently limited to network-based packet captures at the moment although there are more types of packet captures available.

CLI Commands

    This section will be ever-growning to provide users with the ability to run common commands across different platforms. All the commands will be grouped together by function with icons indicating which are supported at any given time. You must use the "Generate Command" button to generate the command at the top since these sections do not update automatically.

Social Links

    Do you have a suggestion? Maybe you've discovered a bug? Do you want RSS notifications on new updates? Perhaps you just want to chat with others to get help or offer your own assistance to help out someone in need. All social links will open in a new window (or tab depending on your browser settings) so that you can keep your current tcpdump101 settings without having to start over. Feel free to follow me on Twitter, check out the sub-Reddit, subscribe to my Youtube channel or hop on Discord to chat with other packet monkeys like yourself. :)

There are also three ways to donate if you are able to: PayPal, Bitcoin and Litecoin are all accepted. I will not be accepting other forms of donations (at least right now) so hopefully one of these three methods will work for you should you choose to make a financial donation.

Downloads

    tcpdump101.com is written in flat HTML, JavaScript and CSS making it easy to download and run offline without the need for a webserver or even an Internet connection. Using the commands in this section will help you download this to run yourself.

.plan

    This section is dedicated to ideas and plans for the future of the site. It will also be where bugs can be tracked and user-suggested enhancements will be documented. Keep checking back to see what's in the works for the next revision of tcpdump101.com.

Donation Contributions

    Whenever someone is kind enough to make a donation, I will put their name and contact information (if they allow it) here as a permanent "Thank-you" to show my appreciation for their support.

Development

    This link will open a new window (or tab depending on your browser settings) to http://dev.tcpdump101.com where you can see the latest build of tcpdump101.com as it's being worked on. Keep in mind that this is a development site and may not work proerly or at all.

The best way to download this for offline use is with the wget utility found on most major distributions of Linux.

Click on the snippet below to download the current production version:


When you run this command, a new directory will be created called "tcpdump101.com" with all the relevant files you need to run this offline.

cat ~/.plan

Social

    E-mail: tcpdump101 [at] gmail -dot- com
    Twitter: @Grave_Rose 
    Reddit: /r/tcpdump101 
    Discord: https://discord.gg/2MZCqn6 

About

    I created tcpdump101.com after using RegEx101.com  which is a fantastic resource for creating and validating regular expressions. Having been involved in NetSec for about twenty years now, I realized that a lot of people struggle with packet captures. I thought about what I could do to give back to the community that I've been a part of for such a long time and this is what I came up with. It may not be the be-all-and-end-all of networking tools, but as long as it helps people learn, I'm glad to have created it.
        - Gr@ve_Rose

Donation Contributions

    Thanks to the following people who have donated to help keep this site up and running. If you'd like to donate, you can visit my donations links on the left to make a monetary donation. The list is updated manually so if you make a donation and your name doesn't appear in a few days, contact me at: tcpdump101 -at- gmail [dot] com

@CarloSupertramp 
@SVXDan83 
@scubastevegk