Check Point Advisories

Learning More about SmartView Tracker Logs: InterSpect NGX Packets Capture

Check Point Reference: SBP-2006-08
Date Published: 14 Sep 2006
Severity: Medium
Last Updated: Tuesday 08 May, 2007
Source: SmartDefense Research Center
Protection Provided by:
Who is Vulnerable?
Vulnerability Description Packet streams that have triggered a SmartDefense or Web Intelligence protection can be stored in the form of raw data. The captured packet can be examined using an internal packet viewer or any protocol analyzer, such as Ethereal, Snoop or tcpdump.

Packet capture is available for all protections as well as new protections that are added using the SmartDefense updates service.

Examining a captured packet using a network protocol analyzer can reveal a lot of information about an attack. While the log shows some pieces of information extracted from the packet, together with some other relevant information, the packet capture contains the whole packet. The packet capture can be used to further analyze the packet and can help troubleshoot network problems. Packet captures are added to the relevant logs and can be viewed in SmartView Tracker.  Logs that contain a captured packet stream can be identified by the icon in the SmartView Tracker log entry as can be seen below:

SmartView Tracker

Vulnerability DetailsCaptured packets are stored on the InterSpect appliance at $FWDIR/log/packets_capture. By default, up to 15% of the storage space on InterSpect may be used for storing packet captures. This value is configurable in the InterSpect > Logging page. It can be set as either a percentage of disk space or as a Megabyte value. If the configured limit is reached, older packet captures are deleted as new ones are saved.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK