Category:Check Point -> Security Appliances
From expert mode:
[Expert@FIREWALL:5]# tcpdump -nni bond1.222 host 10.10.10.15
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond1.222, link-type EN10MB (Ethernet), capture size 96 bytes
15:57:38.304546 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 131
15:57:38.304773 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 164
15:57:38.306391 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 186
15:57:38.306598 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 101
15:57:38.319824 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 122
<snipped for brevity>
15:57:38.976293 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 187
15:57:38.976594 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 101
15:57:38.993419 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 122
15:57:38.993561 IP 10.10.10.15.514 > 10.45.45.45.514: SYSLOG local7.info, length: 93
15:57:40.402256 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
15:57:40.644253 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 316
To filter both source and destination:
[Expert@FIREWALL:0]# tcpdump -nni bond1.222 host 10.10.10.15 and host 10.10.50.25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond1.222, link-type EN10MB (Ethernet), capture size 96 bytes
16:15:40.971846 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
16:15:42.631256 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
16:15:42.715613 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
16:15:42.843538 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 316
16:15:42.906834 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
16:15:46.462783 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
16:15:47.195943 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
16:15:47.529080 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
16:15:47.713714 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
16:15:48.830959 IP 10.10.10.15.514 > 10.10.50.25.514: SYSLOG user.warning, length: 317
10 packets captured
26 packets received by filter
0 packets dropped by kernel
fw monitor example:
fw monitor -e 'accept dst=10.10.10.10;'
fw monitor -e 'accept host(10.10.10.10);'
fw monitor -e 'accept src=10.10.10.10 and dport=49;'