Scripts are normally not worth sharing because they are so easy to construct. This one illustrates several different concepts so may be of interest to someone else besides myself:
- packet trace utility in Checkpoint firewall Gaia
- send Ctrl-C interrupt to a process which has been run in the background
- giving unqieu filenames for each cut
- general approach to tacklnig the challenge of breaking a potentially large output into manageable chunks
I wanted to learn about unexpected VPN client disconnects that a user, Sandy, was experiencing. Her external IP is 18.104.22.168.
while /bin/true; do # date +%H%M inserts the current Hour (HH) and minute (MM). file=/tmp/sandy`date +%H%M`.cap # fw monitor is better than tcpdump because it looks at all interfaces fw monitor -o $file -l 60 -e "accept src=22.214.171.124 or dst=126.96.36.199;" & # $! picks up the process number of the command we backgrounded just above pid=$! sleep 600 #sleep 90 kill $pid sleep 3 gzip $file done
This type of tracing of this VPN session produces about 20 MB of data every 10 minutes. I want to be able to easily share the trace file afterwards in an email. And smaller files will be faster when analyzed in Wireshark.
The script itself I run in the background:
# ./sandy.sh &
And to make sure I don’t get logged out, I just run a slow PING afterwards:
# ping ‐i45 188.8.131.52
In retrospect I could have simply used the -ci argument and had the process terminate itself after a certain number of packets were recorded, and saved myself the effort of killing that process. But oh well, it is what it is.
Small tip to see all packets
Turn acceleration off:
fwaccel on (when you’re done).
I share a script I wrote today that is simple, but illustrates several useful concepts.
References and related
fw monitor cheat sheet.
The standard packet analyzer everyone uses is Wireshark from https://wireshark.org/