|Check Point Reference:||SBP-2006-08|
|Date Published:||14 Sep 2006|
|Last Updated:||8 May 2007|
|Source:||SmartDefense Research Center|
|Protection Provided by:|
|Who is Vulnerable?|
|Vulnerability Description||Packet streams that have triggered a SmartDefense or Web Intelligence protection can be stored in the form of raw data. The captured packet can be examined using an internal packet viewer or any protocol analyzer, such as Ethereal, Snoop or tcpdump.
Packet capture is available for all protections as well as new protections that are added using the SmartDefense updates service.
Examining a captured packet using a network protocol analyzer can reveal a lot of information about an attack. While the log shows some pieces of information extracted from the packet, together with some other relevant information, the packet capture contains the whole packet. The packet capture can be used to further analyze the packet and can help troubleshoot network problems. Packet captures are added to the relevant logs and can be viewed in SmartView Tracker. Logs that contain a captured packet stream can be identified by the icon in the SmartView Tracker log entry as can be seen below:
|Vulnerability Details||Captured packets are stored on the InterSpect appliance at $FWDIR/log/packets_capture. By default, up to 15% of the storage space on InterSpect may be used for storing packet captures. This value is configurable in the InterSpect > Logging page. It can be set as either a percentage of disk space or as a Megabyte value. If the configured limit is reached, older packet captures are deleted as new ones are saved.|