Support Center > Search Results > SecureKnowledge Details
What is FW Monitor?
Solution

Table of Contents:

  1. Introduction
  2. Warnings
  3. FW Monitor Features
  4. FW Monitor Functionality
  5. FW Monitor Syntax
  6. SecureClient Syntax
  7. Capture Examples
    1. Usual Capture
    2. Host Specific Capture
    3. Port Specific Capture
    4. Protocol Specific Capture
    5. Protocol Options Specific Capture
    6. Bytes Specific Capture
    7. Network Specific Capture
    8. Some Examples
  8. Related Documentation
  9. Related Solutions

 


 

(I) Introduction

Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark (available for free from www.wireshark.org).

 

(II) Warnings

  • Anything related to policy installation or policy unloading on Security Gateway, will cause FW Monitor to exit.

  • It is supported to run only a single instance of FW Monitor at any given time.

  • Do not modify Check Point kernel tables used in the security policy while FW Monitor is running, otherwise unexpected behavior may result (including a system crash).

  • Packets are defragmented as they leave the Security Gateway in both the inbound and outbound directions.

  • If SecureXL is enabled on the Security Gateway, then FW Monitor and tcpdump will show only the non-accelerated packets (e.g., 'TCP SYN' will be shown, and 'TCP ACK' will not).

  • * NOTE * - Traffic captures can be misleading when working with SecureXL since both FW Monitor and TCPdump do not always show 'real' packets that are going out to the network. This is related to the way the SecureXL kernel driver is attached to the network adapter itself. When using SecureXL to confirm whether packets are being handled correctly, either capture the traffic on the directly connected router / switch, or disable SecureXL.

 

(III) FW Monitor Features

In many deployment and support scenarios, capturing network packets is an essential functionality. The tcpdump / snoop utilities are normally used for this task. The FW Monitor utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools:

  • No Security Flaws

    tcpdump / snoop are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's FW Monitor does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like tcpdump / snoop, because of their security risks.

  • Available on FireWall Installations

    FW Monitor is a built-in tool that does not need a separate installation, or licensing.

  • Multiple Capture Positions within the FireWall Kernel Module Chains

    FW Monitor allows to capture packets at multiple capture positions within the Security Gateway kernel module chains, both for inbound and outbound packets. This enables to trace a packet through the different layers of the Security Gateway.

  • Same Tool and Syntax on All Platforms

    FW Monitor is available on all different platforms. tcpdump / snoop are often platform-dependent, or have specific "enhancements" on certain platforms. FW Monitor and all its related functionality and syntax are identical across all platforms.

Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS, etc. FW Monitor adds its own modules to capture packets. FW Monitor can capture all packets that are seen and/or forwarded by the Security Gateway.

 

(IV) FW Monitor Functionality

There are four inspection points when a packet passes through a Security Gateway:

  1. Before the FireWall Virtual Machine, in the inbound direction - Pre-Inbound - marked as i

  2. After the FireWall Virtual Machine, in the inbound direction - Post-Inbound - marked as I

  3. Before the FireWall Virtual Machine, in the outbound direction - Pre-Outbound - marked as o

  4. After the FireWall Virtual Machine, in the outbound direction - Post-Outbound - marked as O

Note: The direction (inbound/outbound) relates to each specific packet, and not to the connection.

Let us examine a TCP handshake in the following topology:
[Source/Client] --- (eth1)[Security Gateway](eth2) --- [Destination/Server]

  • TCP SYN from [Source/Client] will pass through Pre-Inbound and Post-Inbound on interface eth1
  • TCP SYN from [Source/Client] will pass through Pre-Outbound and Post-Outbound on interface eth2
  • TCP SYN-ACK from [Destination/Server] will pass through Pre-Inbound and Post-Inbound on interface eth2
  • TCP SYN-ACK from [Destination/Server] will pass through Pre-Outbound and Post-Outbound on interface eth1
  • TCP ACK from [Source/Client] will pass through Pre-Inbound and Post-Inbound on interface eth1
  • TCP ACK from [Source/Client] will pass through Pre-Outbound and Post-Outbound on interface eth2

Once started, the FW Monitor compiles the INSPECT filter (created as $FWDIR/tmp/monitorfilter.pf) based on the specified syntax (which packets to capture), and loads it to the Check Point kernel (not replacing the Security Policy). The FW Monitor will then continuously get packets from the Check Point kernel, and depending on the syntax, will either display them on the terminal window , or will save them in the output capture file. Upon an interrupt signal (key combination CTRL + C), the FW Monitor stops, unloads the INSPECT filter, and exits.

 

(V) FW Monitor Syntax

[Expert@HostName]# fw monitor [-h] [-u|-s] [-i] [-d] [-D] [-t] [{-e <expr>}+ | -f <filter_file_name>|-] [-l length] [-m i|I|o|O] [-x offset[,length]] [-o <output_file_name>] <[-pi position] [-pI position] [-po position] [-pO position] | -p all> [-a] [-ci count] [-co count] [-v VSID]

 

Flag Explanation
[-h] Displays the usage.
[-u | -s]

Prints connection's Universal-Unique-ID (UUID), or connection's Session UUID (SUUID) for every packet.

Note that it is only possible to print the UUID or the SUUID - not both.

For further information, refer to "How to use FW Monitor" document.
[-i]

Flushes the standard output.

Use this flag to make sure that captured data for each packet is at once written to standard output. This is especially useful if you want to kill a running FW Monitor process, and want to be sure that all data is written to a file.
[-d]
[-D]

Starts the FW Monitor in debug mode.

This will give you an insight into FW Monitor's inner workings, although this option is only rarely used outside Check Point.
Use the "-D" flag will produce an even more verbose output.
[-t]

When compiling the INSPECT filter, includes $FWDIR/lib/tcpip.def, which allows using TCP/IP macros.

Warning: Do not modify anything in $FWDIR/lib/tcpip.def or in any other $FWDIR/lib/*.def file by yourself. Check Point does not support any configuration with changed *.def files. An exception are modifications done together with Check Point Support (according to a Service Request) or found in SecureKnowldege.
[{-e <expr>}+ | -f <filter_file_name> | -]

Captures only specific packets:

  • Set the filter expression on the command line using the -e <expr> switch
  • Read the filter expression from a file using the -f <filter_file_name> switch
  • Read the filter expression from the standard input using the -f - switch

For further information, refer to "How to use FW Monitor" document.

Note:
When using filter expressions on the command line (using "-e <expr>" switch), make sure that the expressions are properly quoted.
On Windows and UNIX operating systems, this can be done by surrounding the expression with single quote ' (ASCII value 39), or double quotes " (ASCII value 34).
Depending on the given operating system and shell, there might be differences between the two forms - especially when using special characters, or (shell) variables in the filter expression.
[-l length]

Limits the length of the captured packets. FW Monitor will read only as many bytes from the kernel as specified by the length.

Make sure to capture as least as many bytes, so that the L3 IP header and L4 Transport header are included. This option allows capturing only the headers of a packet (e.g., IP and TCP), while omitting the actual payload, and thus decreases the size of the output file (by omitting the payload).

FW Monitor uses a buffer to transfer the packets from Check Point kernel to user space. If the size of the captured packets is reduced, this buffer will not fill up so fast.
[-m i]
[-m I]
[-m o]
[-m O]

Capture masks. By default, FW Monitor captures packets before and after the FireWall Virtual Machine in both directions.
This flag allows to specify the positions (kernel chains), where the traffic should be captured:

  • i - Pre-Inbound
  • I - Post-Inbound
  • o - Pre-Outbound
  • O - Post-Outbound
For further information, refer to "How to use FW Monitor" document.
[-x offset[,length]]

Prints packet/payload raw data in addition to the IP and Transport headers. Optionally it is also possible to limit the data written to the screen.

For further information, refer to "How to use FW Monitor" document.
[-o <output_file_name>] Writes the captured raw data into an output file.
The format of an output file is the same format used by tools like snoop (refer to RFC 1761 for further information). This output file can be later analyzed by tools like WireShark.
[-pi position]
[-pI position]
[-po position]
[-pO position]
-p all

Inserts FW Monitor chain module at a specific position between Check Point kernel chains.

In addition to capture masks (which give the ability to specify a specific position), this flag defines where exactly (in Check Point kernel chains) the packets should be captured.

For further information, refer to "How to use FW Monitor" document.
[-a]

Uses absolute chain positions (in Check Point kernel chains). This flag changes the chain ID from a relative value (which only makes sense with the matching output from fw ctl chain command) to an absolute value.

If the captured data is saved into an output file (using the "-o <output_file_name>" switch), one of the fields written into the output file would be the chain position of the FW Monitor chain module.
Together with a simultaneous execution of "fw ctl chain" command you can determine where the packet was captured. Especially when using "-p all" switch, you will find the same packet captured multiples times at different chain positions.
[-ci count]
[-co count]

Captures a specific number of packets.

This is especially useful in situations where the FireWall is filtering high amounts of traffic. In such scenarios, FW Monitor may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take very long time.

It is possible to use the "-ci" and the "-co" switches together. FW Monitor will stop capturing packets if the number of packets for one of the two counters reaches the specified "count".
[-v VSID]

Applies only to VSX NG, VSX NGX, and VSX NGX R6x versions.

Captures the packets on a specific Virtual Router or Virtual System on VSX Gateway (Example: fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap)

 

(VI) SecureClient Syntax

  • SecurRemote and SecureClient R56 / R60 uses an abridged version of FW Monitor - called srfw monitor:

    %SRDIR%\bin\srfw monitor [-d] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i | I | o | O] [-x offset[,length]] [-o <output_file_name>]

    Refer to SecureClient R56 for Mac OS X Release Notes (Mac OS X 10.3, Mac OS X 10.4) and to Debugging SecuRemote/SecureClient.

  • Starting in E75.30, SecurRemote and SecureClient uses command line packet monitoring utility (PacketMon.exe) - called packetmon:

    packetmon [-d] [-h] [-t] [-T] [-i] [-I] [-r] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i | I | o | O] [-x offset[,length]] [-o <output_file_name>] [-ci count] [-co count]

    Refer to Remote Access Clients for Windows 32/64-bit Administration Guide (E75.30, E80.41, E80.50) - Chapter 'Monitoring and Troubleshooting' - Troubleshooting the Firewall - Desktop Firewall Monitoring.

 

(VII) Capture Examples

Refer to $FWDIR/lib/fwmonitor.def file for useful macro definitions.

Refer to "How to use FW Monitor" document - 'Logical and Relational Operators' section.

 

(VII-A) Capture Examples - Usual Capture

Capture everything, save the data into the file:
[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap

 

(VII-B) Capture Examples - Host Specific Capture

To specify a host, you can use the following syntax:

  • Either use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to both Source IP address and Destination IP address
  • Or use specific Source IP address "src=<IP_Address_in_Doted_Decimal_format>" and specific Destination IP address "dst=<IP_Address_in_Doted_Decimal_format>"

Examples:

  • Capture everything between host X and host Y:
    [Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

  • Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:
    [Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap

  • Capture everything to/from host X or to/from host Y or to/from host Z:
    [Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(y.y.y.y) or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z or dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap

 

(VII-C) Capture Examples - Port Specific Capture

Note: Port number in the syntax has to be provided in Decimal format. Refer to /etc/services file on the machine, or to http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

To specify a port, you can use the following syntax:

  • Either use "port(<IANA_Port_Number>)", which applies to both Source Port and Destination Port
  • Or use specific Source Port "sport=<IANA_Port_Number>" and specific Destination Port "dport=<IANA_Port_Number>"
  • In addition:
    • For specific TCP port, you can use "tcpport(<IANA_Port_Number>)", which applies to both Source TCP Port and Destination TCP Port
    • For specific UDP port, you can use "udpport(<IANA_Port_Number>)", which applies to both Source UDP Port and Destination UDP Port

Examples:

  • Capture everything to/from port X:
    [Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "(sport=x or dport=x), accept;" -o /var/log/fw_mon.cap

  • Capture everything except port X:
    [Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "not (sport=x or dport=x), accept;" -o /var/log/fw_mon.cap

  • Capture everything except SSH:
    [Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "not (sport=22 or dport=22), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "not tcpport(22), accept;" -o /var/log/fw_mon.cap

  • Capture everything to/from host X except SSH:
    [Expert@HostName]# fw monitor -e "(host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) and (not (sport=22 or dport=22))), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "(host(x.x.x.x) and not tcpport(22)), accept;" -o /var/log/fw_mon.cap

  • Capture everything except NTP:
    [Expert@HostName]# fw monitor -e "not udpport(123), accept;" -o /var/log/fw_mon.cap

 

(VII-D) Capture Examples - Protocol Specific Capture

Note: Protocol number in the syntax has to be provided in Decimal format. Refer to /etc/protocols file on the machine, or to http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

To specify a protocol, you can use the following syntax:

  • Either use "ip_p=<IANA_Protocol_Number>"
    Examples:
    • To specify TCP protocol with byte offset, use "ip_p=6"
    • To specify UDP protocol with byte offset, use "ip_p=11"
    • To specify ICMP protocol with byte offset, use "ip_p=1"
  • Or use "accept [9:1]=<IANA_Protocol_Number>"
    (This byte offset syntax is described in the "Capture Examples - Bytes Specific Capture" section)
    Examples:
    • To specify TCP protocol with byte offset, use "accept [9:1]=6"
    • To specify UDP protocol with byte offset, use "accept [9:1]=11"
    • To specify ICMP protocol with byte offset, use "accept [9:1]=1"
  • In addition:
    • To specify TCP protocol, you can explicitly use "tcp, accept;"
    • To specify UDP protocol, you can explicitly use "udp, accept;"
    • To specify ICMPv4 protocol, you can explicitly use "icmp, accept;" or "icmp4, accept;"
    • To specify ICMPv6 protocol, you can explicitly use "icmp6, accept;"
    • To specify HTTP protocol (port 80), you can explicitly use "http, accept;"
    • To specify HTTPS protocol (port 443), you can explicitly use "https, accept;"
    • To specify PROXY protocol (port 8080), you can explicitly use "proxy, accept;"
    • To specify DNS protocol (port 53), you can explicitly use "dns, accept;"
    • To specify SSH protocol (port 22), you can explicitly use "ssh, accept;"
    • To specify FTP protocol (both port 20 and 21), you can explicitly use "ftp, accept;"
    • To specify Telnet protocol (port 23), you can explicitly use "telnet, accept;"
    • To specify SMTP protocol (port 25), you can explicitly use "smtp, accept;"
    • To specify POP3 protocol (port 110), you can explicitly use "pop3, accept;"
    • To specify IKE protocol (port 500), you can explicitly use "ike, accept;"
    • To specify NAT Traversal (NAT-T) protocol (port 4500), you can explicitly use "natt, accept;"
    • To specify both ESP (ip 50) and IKE protocol (port 500), you can explicitly use "vpn, accept;"
    • To capture Multi-Portal connections (port 443 or port 444), you can explicitly use "multi, accept;"
    • To capture all VPN-related data [ESP (ip 50), IPsec over UDP (port 2746), IKE (port 500), NAT-T (port 4500), CRL (port 18264), RDP (port 259), Tunnel Test (port 18234), Topology (port 264), L2TP (port 1701), SCV (port 18233), Multi-Portal (port 443 or port 444), etc.], you can explicitly use "vpnall, accept;"

Examples:

  • Capture everything on protocol X:
    [Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap

  • Everything on protocol X and port Z on protocol Y:
    [Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap

  • Capture everything TCP between host X and host Y:
    [Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "tcp, host(x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "accept [9:1]=6 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"
    [Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

 

(VII-E) Capture Examples - Protocol Options Specific Capture

Protocol Syntax Option Description
IPv4 ip_src = <IPv4_Address> Source IPv4 address of the packet
ip_dst = <IPv4_Address> Destination IPv4 address of the packet
ip_ttl = <Number> Time To Live of the IPv4 packet
ip_len = <length_in_bytes> Length of the IPv4 packet in bytes
ip_tos = <value> TOS field of the IPv4 packet
ip_p = <IANA_Protocol_Number> IANA Protocol Number encapsulated in IPv4
IPv6 ip_src6p = <IPv6_Address> Source IPv6 address of the packet
ip_dst6p = <IPv6_Address> Destination IPv6 address of the packet
ip_len6 = <length_in_bytes> Length of the IPv6 packet in bytes
ip_ttl6 = <Number> Time To Live of the IPv6 packet
ip_p6 = <IANA_Protocol_Number> IANA Protocol Number encapsulated in IPv6
TCP syn SYN flag is set
ack ACK flag is set
rst RST flag is set
fin FIN flag is set
first First packet of TCP connection
(i.e., SYN flag is set, but ACK flag is not set)
not_first Not the first packet of TCP connection
(i.e., SYN flag is not set)
established Established TCP connection
(i.e., ACK flag is set, or SYN flag is not set)
last Last packet of TCP connection
(i.e., both ACK flag and FIN flag are set)
tcpdone End of TCP connection
(i.e., RST flag is set, or FIN flag is set)
th_flags = <flag>

General way to match the flags inside TCP packets (refer to $FWDIR/lib/tcpip.def):

Syntax Explanation
th_flags = TH_SYN SYN flag is set
th_flags = TH_ACK ACK flag is set
th_flags = TH_RST RST flag is set
th_flags = TH_FIN FIN flag is set
th_flags = TH_PUSH PSH flag is set
th_flags = TH_URG URG flag is set
th_flags = (TH_SYN & TH_ACK) SYN flag and ACK flag are set
th_sport = <IANA_Port_Number> TCP source port
th_dport = <IANA_Port_Number> TCP destination port
th_seq = <Number> TCP sequence number
th_ack = <Number> TCP acknowledged number
UDP uh_sport = <IANA_Port_Number> UDP source port
uh_dport = <IANA_Port_Number> UDP destination port
uh_ulen = <length_in_bytes> Length of the UDP header (does not include IP header)
ICMPv4 icmp_type = <Number> ICMPv4 packets with specified Type
icmp_code = <Number> ICMPv4 packets with specified Code
icmp_id = <Number> ICMPv4 packets with specified Identifier
icmp_seq = <Number> ICMPv4 packets with specified Sequence number
echo_req ICMPv4 Echo Request packets (Type 8, Code 0)
echo_reply ICMPv4 Echo Reply packets (Type 0, Code 0)
ping ICMPv4 Echo Request and ICMPv4 Echo Reply packets
traceroute Traceroute packets as implemented in Unix OS (UDP packets on ports above 30000 and with TTL<30; or ICMP Time exceeded packets)
tracert Traceroute packets as implemented in Windows OS (ICMP Request packets with TTL<30; or ICMP Time exceeded packets)
icmp_ip_len = <length> Length of ICMPv4 packet
icmp_error

ICMPv4 Error packets, which are defined as follows (refer to RFC 792):

Check Point Macro Name in $FWDIR/lib/tcpip.def ICMP
Type
ICMP
Code
Description
ICMP_UNREACH ICMP_UNREACH_NET 3 0 Destination unreachable - Network unreachable error
ICMP_UNREACH_HOST 1 Destination unreachable - Host unreachable error
ICMP_UNREACH_PROTOCOL 2 Destination unreachable - Protocol unreachable error (the designated transport protocol is not supported)
ICMP_UNREACH_PORT 3 Destination unreachable - Port unreachable error (the designated protocol is unable to inform the host of the incoming message)
ICMP_UNREACH_NEEDFRAG 4 Destination unreachable - The datagram is too big Packet fragmentation is required but the 'don't fragment' (DF) flag is on
ICMP_UNREACH_SRCFAIL 5 Destination unreachable - Source route failed error
ICMP_SOURCEQUENCH   4   Source quench
ICMP_REDIRECT ICMP_REDIRECT_NET 5 0 Redirect for Network
ICMP_REDIRECT_HOST 1 Redirect for Host
ICMP_REDIRECT_TOSNET 2 Redirect for Type of Service and Network
ICMP_REDIRECT_TOSHOST 3 Redirect for Type of Service and Host
ICMP_TIMXCEED ICMP_TIMXCEED_INTRANS 11 0 Time exceeded - Time-to-live exceeded in transit
ICMP_TIMXCEED_REASS 1 Time exceeded - Fragment reassembly time exceeded
ICMP_PARAMPROB   12   Parameter problem - Invalid IP header
ICMPv6 icmp6_type = <Number> ICMPv6 packets with specified Type
icmp6_code = <Number> ICMPv6 packets with specified Code
echo_req ICMPv6 Echo Request packets (Type 128)
echo_reply ICMPv6 Echo Reply packets (Type 129)
ping ICMPv6 Echo Request and ICMPv6 Echo Reply packets

 

(VII-F) Capture Examples - Bytes Specific Capture

Simple checks are used to check for a value at a specific offset in the packet:

[Expert@HostName]# fw monitor -e "accept [ offset : length , order ] relational-operator value;"

Field Explanation
offset Specifies the offset relative to the beginning of the IP packet from where the value should be read.
length Specifies the number of bytes:
  • 1 = byte
  • 2 = word
  • 4 = dword
If length is not specified, FW Monitor assumes 4 (dword).
order Specifies the byte order:
  • b = big endian, or network order
  • l = little endian, or host order
If order is not specified, FW Monitor assumes little endian byte order.
relational-operator

Relational operator to express the relation between the packet data and the value:

< less than
> greater than
<= less than or equal to
>= greater than
= equal to
is
!= not equal to
is not
value One of the data types known to INSPECT (e.g., an IP address, or an integer).

 

The IP-based protocols are stored in the IP packet as a byte at offset 9:

  • To filter based on a Protocol encapsulated into IP, use this syntax:
    [Expert@HostName]# fw monitor -e "accept [9:1]=<IANA_Protocol_Number>;"

The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address):

  • To filter based on a Source IP address, use this syntax:
    [Expert@HostName]# fw monitor -e "accept [12:4,b]=<IP_Address_in_Doted_Decimal_format>;"

  • To filter based on a Destination IP address, use this syntax:
    [Expert@HostName]# fw monitor -e "accept [16:4,b]=<IP_Address_in_Doted_Decimal_format>;"

The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port):

  • To filter based on a Source port, use this syntax:
    [Expert@HostName]# fw monitor -e "accept [20:2,b]=<Port_Number_in_Decimal_format>;"

  • To filter based on a Destination port, use this syntax:
    [Expert@HostName]# fw monitor -e "accept [22:2,b]=<Port_Number_in_Decimal_format>;"

 

Examples:

  • Capture everything between host X and host Y:
    [Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));"

  • Capture everything on port X:
    [Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap

 

(VII-G) Capture Examples - Network Specific Capture

To capture traffic to/from a network, you need to specify the network address and length of network mask (number of bits).

There are 3 options:

  • To capture traffic to/from a network, use "net(<Network_IP_Address>, <Mask_Length>), accept;"
  • To capture traffic to a network, use "to_net(<Network_IP_Address>, <Mask_Length>), accept;"
  • To capture traffic from a network, use "from_net(<Network_IP_Address>, <Mask_Length>), accept;"

Examples:

  • Capture everything to/from network 192.168.33.0 / 24:
    [Expert@HostName]# fw monitor -e "net(192.168.33.0, 24), accept;"

  • Capture everything sent to network 192.168.33.0 / 24:
    [Expert@HostName]# fw monitor -e "to_net(192.168.33.0, 24), accept;"

  • Capture everything sent from network 192.168.33.0 / 24:
    [Expert@HostName]# fw monitor -e "from_net(192.168.33.0, 24), accept;"

 

(VII-H) Capture Examples - Some Examples

  • Capture ESP protocol or UDP port 161 (SNMP):
    [Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

  • Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP):
    [Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

  • Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs):
    [Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

  • Capture Edge communication between 10.10.10.10, or 20.20.20.20, or 30.30.30.30 and on UDP ports 9281, or 9282, or 9283:
    [Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap

 

  1. Detailed information regarding the usage of the fw monitor command can be found in the "How to use FW Monitor" document.

    Notes:

    • This document applies to Security Gateways of all existing Check Point versions, regardless of operating system.
    • Ignore the outdated links provided in the document in the "Secure Knowledge Links" section.


  2. $FWDIR/lib/tcpip.def file on Security Gateway

  3. $FWDIR/lib/fwmonitor.def file on Security Gateway

 

Applies To:
  • This solution replaces: 10022.0.1862922.2481845 , sk1062 , 10022.0.1862930.2481845 , sk3474 , 10022.0.2594497.2500363 , skI4444 , 55.0.12289645.2846374 , 55.0.12289624.2846374 , sk41045

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment