Table of Contents:
-
Introduction
-
Download Instructions
-
Syntax
-
Usage
-
Compilation
-
Known limitations
-
Related solutions
(1) Introduction
The CPMonitor utility analyzes traffic captured by tcpdump / snoop / Check Point FW Monitor.
It parses the input traffic capture file and extracts valuable information from it, including:
- Overall traffic statistics (pps, cps, concurrent, throughput)
- Top connections, top servers and top services
- Detailed connections, servers and services (with packet size distribution)
- Per second analysis
It can run on any Gaia / SecurePlatform / Linux machine.
The default CPMonitor location is /opt/CPinfo-10/bin/
(2) Download Instructions
Note: CPMonitor is automatically available from any machine. You do not need to download it to start using it.
-
Download the latest CPMonitor package from the table below:
-
Transfer the CPMonitor package (cpmonitor_sk103212_<OS>.tgz) to your Gaia / SecurePlatform / Linux machine (where the traffic capture files that you need to analyze are located).
-
Connect to the command line on your Gaia / SecurePlatform / Linux machine (over SSH, or console).
-
On Gaia / SecurePlatform OS, log in to Expert mode.
-
Unpack the CPMonitor package:
# tar -zxvf cpmonitor_sk103212_<OS>.tgz
-
Assign the relevant permissions to the CPMonitor executable file:
# chmod u+x cpmonitor
-
Refer to the "Syntax" section and the "Usage" section below.
(3) Syntax
# cpmonitor [--version] [-v] [-q] [-n] [-o <output>] [-g <graph>] [-t <name>] [-s <p | t>] [-c <connection table size>] </path_to/name_of_traffic_dump_file>
where:
| Argument |
Mandatory/
Optional? |
Description |
| --version |
Optional |
Displays version number (and exits) |
| -v |
Optional |
Verbose mode |
| -q |
Optional |
Quiet mode, no output on stdout, prints only to output file(s) |
| -n |
Optional |
Navigates through dump file |
| -o </path_to/output> |
Optional |
Creates output file </path_to/output>.txt for the report
Note: Need to provide only the name of the file - the *.txt extension is added automatically |
| -g </path_to/graph> |
Optional |
Creates a timeline graph and prints it to </path_to/graph>.csv
Note: Need to provide only the name of the graph - the *.csv extension is added automatically |
| -t <name> |
Optional |
Prints the entire tables to </path_to/name>_<table_name>.csv
(e.g.: </path_to/name>_conns.csv) |
| -s <p | t> |
Optional |
Sets sorting method for top entities:
- p - for packet sorting (default)
- t - for throughput sorting
|
| -c <Size of Connections Table> |
Optional |
Sets size of Connections Table - an integer number of entries that the Connections Table can hold:
- Default is 10,000,000
- Maximum is 200,000,000
|
| </path_to/name_of_traffic_dump_file> |
Mandatory |
Full path to the traffic capture file to be analyzed |
(4) Usage
Traffic that needs to be analyzed can be captured using the standard Linux tcpdump tool as follows (the default 96 bytes are sufficient):
# tcpdump -i {<name_of_relevant_interface> | any} -w /var/log/capture.cap
Notes:
- To avoid performance impact, instead of capturing the traffic on the involved machine, traffic can be captured on a switch (using SPAN / Mirror port).
- On machines with complex NIC topology, "tcpdump -i any" syntax should be avoided. Refer to the "Known limitations" section.
- CPMonitor also supports traffic captured as follows:
# tcpdump -p -i Interface_Name -w /var/log/capture.cap
When analyzing the captured traffic, the CPMonitor tool can run in two modes: Complete or Navigate, producing different insights.
-
Complete mode
# ./cpmonitor <name_of_traffic_capture_file>
Produces a summary report from the content of the entire traffic capture file.
Tip: Use with the "-t" flag to produce detailed CSV files containing all the connections, servers and services. This creates a complete picture of the entire traffic (not just the top traffic).
Example:
-
Navigate mode
# ./cpmonitor -n <name_of_traffic_capture_file>
Creates a report for the first second of the traffic capture file, allows navigation across the file, and increases the window size to cover more than one second.
This mode allows better understanding of traffic bursts and peaks, which may have occurred during the capture.
Tip: Press "h" for available options when running in navigation mode.
Example:
(5) Compilation
The source code for the CPMonitor tool is available at Check Point's Bitbucket Open Source repository.
If the downloaded tool (compiled by Check Point) does not run on your Linux OS (or runs with errors), download the source code and compile it on the involved Linux 32-Bit machine.
CPMonitor should be compiled on a Linux machine.
CPMonitor needs to be compiled with glib-2.0.
Instructions:
-
Run make.
-
The cpmonitor binary file will be created in the main directory.
Troubleshooting compilation issues:
| 1 |
Error |
"fatal error: glib.h: No such file or directory" |
| Cause |
glib is missing |
| Solution |
Install glib on the machine:
# sudo apt-get install libglib2.0-dev |
| 2 |
Error |
"fatal error: pcap.h: No such file or directory" |
| Cause |
libpcap is missing |
| Solution |
Install libpcap 0.9.4 on the machine:
-
Download libpcap-0.9.4 package:
-
Extract the package:
# cd /var/tmp/libpcap
# tar -zxvf libpcap-0.9.4.tar.gz
-
Prepare and install the package:
# ./configure
# make
# make install
-
Copy the documentation:
# install -v -m755 -d /usr/share/doc/libpcap-0.9.4
# install -v -m644 doc/*{html,txt} /usr/share/doc/libpcap-0.9.4
-
Verify that libpcap files were installed / copied:
# find / -name *libpcap* -type f
|
(6) Known limitations
-
When traffic is captured on a machine with complex NIC topology using the syntax "tcpdump -i any",
the capture file will hold multiple entries for each packet (an entry for each interface in the packet's path).
CPMonitor does not currently support identifying multiple entries of the same packet.
Analyzing such a capture file using CPMonitor might result in incorrect statistics.
This issue can be resolved by using multiple captures for individual interfaces using the syntax "tcpdump -i <name_of_relevant_interface>".
