Support Center > Search Results > SecureKnowledge Details
Traffic analysis using the 'CPMonitor' tool
Solution

Table of Contents:

  1. Introduction
  2. Download Instructions
  3. Syntax
  4. Usage
  5. Compilation
  6. Known limitations
  7. Related solutions

 

(1) Introduction

The CPMonitor utility analyzes traffic captured by tcpdump / snoop / Check Point FW Monitor.

It parses the input traffic capture file and extracts valuable information from it, including:

  • Overall traffic statistics (pps, cps, concurrent, throughput)
  • Top connections, top servers and top services
  • Detailed connections, servers and services (with packet size distribution)
  • Per second analysis

It can run on any Gaia / SecurePlatform / Linux machine.

 

(2) Download Instructions

  1. Download the latest CPMonitor package from the table below:

    Platform Link
    Gaia OS (versions R75.40 - R80.X),
    Linux OS (based on Red Hat 5)
    (TGZ)
    SecurePlatform OS (versions R70.X - R77.X),
    Linux OS (based on Red Hat 3)
    (TGZ)
  2. Transfer the CPMonitor package (cpmonitor_sk103212_<OS>.tgz) to your Gaia / SecurePlatform / Linux machine (where the traffic capture files that you need to analyze are located).

  3. Connect to the command line on your Gaia / SecurePlatform / Linux machine (over SSH, or console).

  4. On Gaia / SecurePlatform OS, log in to Expert mode.

  5. Unpack the CPMonitor package:

    # tar -zxvf cpmonitor_sk103212_<OS>.tgz
  6. Assign the relevant permissions to the CPMonitor executable file:

    # chmod u+x cpmonitor
  7. Refer to the "Syntax" section and the "Usage" section below.

 

(3) Syntax

# cpmonitor [--version] [-v] [-q] [-n] [-o <output>] [-g <graph>] [-t <name>] [-s <p | t>] [-c <connection table size>] </path_to/name_of_traffic_dump_file>

where:

Argument Mandatory/
Optional? 
Description
--version Optional Displays version number (and exits)
-v Optional
Verbose mode
-q Optional
Quiet mode, no output on stdout, prints only to output file(s)
-n Optional
Navigates through dump file
-o </path_to/output> Optional
Creates output file </path_to/output>.txt for the report
Note: Need to provide only the name of the file - the *.txt extension is added automatically
-g </path_to/graph> Optional
Creates a timeline graph and prints it to </path_to/graph>.csv
Note: Need to provide only the name of the graph - the *.csv extension is added automatically
-t <name> Optional
Prints the entire tables to </path_to/name>_<table_name>.csv
(e.g.: </path_to/name>_conns.csv)
-s <p | t> Optional
Sets sorting method for top entities:
  • p - for packet sorting (default)
  • t - for throughput sorting
-c <Size of Connections Table> Optional
Sets size of Connections Table - an integer number of entries that the Connections Table can hold:
  • Default is 10,000,000
  • Maximum is 200,000,000
</path_to/name_of_traffic_dump_file> Mandatory Full path to the traffic capture file to be analyzed

 

(4) Usage

Traffic that needs to be analyzed can be captured using the standard Linux tcpdump tool as follows (the default 96 bytes are sufficient):

# tcpdump -i {<name_of_relevant_interface> | any} -w /var/log/capture.cap

Notes:

  • To avoid performance impact, instead of capturing the traffic on the involved machine, traffic can be captured on a switch (using SPAN / Mirror port).
  • On machines with complex NIC topology, "tcpdump -i any" syntax should be avoided. Refer to the "Known limitations" section.
  • CPMonitor also supports traffic captured as follows:
    # tcpdump -p -i Interface_Name -w /var/log/capture.cap

 

When analyzing the captured traffic, the CPMonitor tool can run in two modes: Complete or Navigate, producing different insights.

  • Complete mode

    # ./cpmonitor <name_of_traffic_capture_file>

    Produces a summary report from the content of the entire traffic capture file.

    Tip: Use with the "-t" flag to produce detailed CSV files containing all the connections, servers and services. This creates a complete picture of the entire traffic (not just the top traffic).

    Example:

  • Navigate mode

    # ./cpmonitor -n <name_of_traffic_capture_file>

    Creates a report for the first second of the traffic capture file, allows navigation across the file, and increases the window size to cover more than one second.

    This mode allows better understanding of traffic bursts and peaks, which may have occurred during the capture.

    Tip: Press "h" for available options when running in navigation mode.

    Example:

 

(5) Compilation

The source code for the CPMonitor tool is available at Check Point's Bitbucket Open Source repository.

If the downloaded tool (compiled by Check Point) does not run on your Linux OS (or runs with errors), download the source code and compile it on the involved Linux 32-Bit machine.

CPMonitor should be compiled on a Linux machine.

CPMonitor needs to be compiled with glib-2.0.

Instructions:

  1. Run make.

  2. The cpmonitor binary file will be created in the main directory.

Troubleshooting compilation issues:

1 Error "fatal error: glib.h: No such file or directory"
Cause glib is missing
Solution Install glib on the machine:
# sudo apt-get install libglib2.0-dev
2 Error "fatal error: pcap.h: No such file or directory"
Cause libpcap is missing
Solution Install libpcap 0.9.4 on the machine:
  1. Download libpcap-0.9.4 package:

    • If this machine is connected to the Internet:

      # mkdir /var/tmp/libpcap
      # cd /var/tmp/libpcap
      # wget http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz
    • If this is an offline machine:

      Download the package from here to your computer
      and transfer it to the Linux machine
      (into some directory, e.g., /var/tmp/libpcap/).
  2. Extract the package:

    # cd /var/tmp/libpcap
    # tar -zxvf libpcap-0.9.4.tar.gz
  3. Prepare and install the package:

    # ./configure
    # make
    # make install
  4. Copy the documentation:

    # install -v -m755 -d /usr/share/doc/libpcap-0.9.4
    # install -v -m644 doc/*{html,txt} /usr/share/doc/libpcap-0.9.4
  5. Verify that libpcap files were installed / copied:

    # find / -name *libpcap* -type f

 

(6) Known limitations

  • CPMonitor is not supported on a 64-bit based OS.

    The following message might be displayed:
    "Warning: cpmonitor does not currently support 64 bit. Please run on a 32 bit machine."

  • When traffic is captured on a machine with complex NIC topology using the syntax "tcpdump -i any",
    the capture file will hold multiple entries for each packet (an entry for each interface in the packet's path).
    CPMonitor does not currently support identifying multiple entries of the same packet.
    Analyzing such a capture file using CPMonitor might result in incorrect statistics.
    This issue can be resolved by using multiple captures for individual interfaces using the syntax "tcpdump -i <name_of_relevant_interface>".

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment