Support Center > Search Results > SecureKnowledge Details
What is FW Monitor?
Solution

Table of Contents:

  1. Introduction
  2. Warnings
  3. FW Monitor Features
  4. FW Monitor Functionality
  5. FW Monitor Syntax and Usage
    1. Syntax
    2. Comparison with TCPdump
    3. Using the UUID feature
  6. SecureClient Syntax
  7. Capture Examples
    1. Usual Capture
    2. Host Specific Capture
    3. Port Specific Capture
    4. Protocol Specific Capture
    5. Protocol Options Specific Capture
    6. Bytes Specific Capture
    7. Network Specific Capture
    8. Some Examples
  8. Related Documentation
  9. Related Solutions

 

(1) Introduction

Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark (available for free from www.wireshark.org).

 

(2) Warnings

  • Anything related to policy installation or policy unloading on Security Gateway, will cause FW Monitor to exit.

  • It is supported to run only a single instance of FW Monitor at any given time.

  • Do not modify Check Point kernel tables used in the security policy while FW Monitor is running, otherwise unexpected behavior may result (including a system crash).

  • Packets are defragmented as they leave the Security Gateway in both the inbound and outbound directions.

  • If SecureXL is enabled on the Security Gateway, then FW Monitor and tcpdump will show only the non-accelerated packets (e.g., 'TCP SYN' will be shown, and 'TCP ACK' will not).

  • Important Note: Traffic captures can be misleading when working with SecureXL since both FW Monitor and TCPdump do not always show 'real' packets that are going out to the network. This is related to the way the SecureXL kernel driver is attached to the network adapter itself. When using SecureXL to confirm whether packets are being handled correctly, either capture the traffic on the directly connected router / switch, or disable SecureXL.

 

(3) FW Monitor Features

In many deployment and support scenarios, capturing network packets is an essential functionality. The tcpdump / snoop utilities are normally used for this task. The FW Monitor utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools:

  • No Security Flaws

    tcpdump / snoop are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's FW Monitor does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like tcpdump / snoop, because of their security risks.
  • Available on FireWall Installations

    FW Monitor is a built-in tool that does not need a separate installation, or licensing.
  • Multiple Capture Positions within the FireWall Kernel Module Chains

    FW Monitor allows to capture packets at multiple capture positions within the Security Gateway kernel module chains, both for inbound and outbound packets. This enables to trace a packet through the different layers of the Security Gateway.
  • Same Tool and Syntax on All Platforms

    FW Monitor is available on all different platforms. tcpdump / snoop are often platform-dependent, or have specific "enhancements" on certain platforms. FW Monitor and all its related functionality and syntax are identical across all platforms.

Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS, etc. FW Monitor adds its own modules to capture packets. FW Monitor can capture all packets that are seen and/or forwarded by the Security Gateway.

 

(4) FW Monitor Functionality

There are four inspection points when a packet passes through a Security Gateway:

# Traffic
direction (*)
Relation to
FireWall
Virtual Machine
Name of
inspection
point
Notion of
inspection
point
1 Inbound Before the inbound FW VM Pre-Inbound "i"
2 Inbound After the inbound FW VM Post-Inbound "I"
3 Outbound Before the outbound FW VM Pre-Outbound "o"
4 Outbound After the outbound FW VM Post-Outbound "O"

(*) The traffic direction (inbound/outbound) relates to each specific packet, and not to the connection.

 

Let us examine a TCP handshake in the following topology:

[Client] --- (eth1)[Security Gateway](eth2) --- [Server]
  1. TCP SYN from [Client] will pass through Pre-Inbound and Post-Inbound on interface eth1:

    [Client] --- (eth1) {Pre-Inbound + Post-Inbound} [Security Gateway](eth2) --- [Server]
  2. TCP SYN from [Client] will pass through Pre-Outbound and Post-Outbound on interface eth2:

    [Client] --- (eth1)[Security Gateway] {Pre-Outbound and Post-Outbound} (eth2) --- [Server]
  3. TCP SYN-ACK from [Server] will pass through Pre-Inbound and Post-Inbound on interface eth2:

    [Client] --- (eth1)[Security Gateway] {Pre-Inbound + Post-Inbound} (eth2) --- [Server]
  4. TCP SYN-ACK from [Server] will pass through Pre-Outbound and Post-Outbound on interface eth1:

    [Client] --- (eth1) {Pre-Outbound and Post-Outbound} [Security Gateway](eth2) --- [Server]
  5. TCP ACK from [Client] will pass through Pre-Inbound and Post-Inbound on interface eth1:

    [Client] --- (eth1) {Pre-Inbound + Post-Inbound} [Security Gateway](eth2) --- [Server]
  6. TCP ACK from [Client] will pass through Pre-Outbound and Post-Outbound on interface eth2:

    [Client] --- (eth1)[Security Gateway] {Pre-Outbound and Post-Outbound} (eth2) --- [Server]

Once started, the FW Monitor compiles the INSPECT filter (created as $FWDIR/tmp/monitorfilter.pf) based on the specified syntax (which packets to capture), and loads it to the Check Point kernel (not replacing the Security Policy). The FW Monitor will then continuously get packets from the Check Point kernel, and depending on the syntax, will either display them on the terminal window , or will save them in the output capture file. Upon an interrupt signal (key combination CTRL + C), the FW Monitor stops, unloads the INSPECT filter, and exits.

 

(5) FW Monitor Syntax and Usage

(5-A) FW Monitor Syntax and Usage - Syntax

  • For IPv4:

    [Expert@HostName]# fw monitor [-h] [-u|-s] [-i] [-d] [-D] [-t] [{-e <expr>}+ | -f <filter_file_name>|-] [-l length] [-m i|I|o|O] [-x offset[,length]] [-o <output_file_name>] <[-pi position] [-pI position] [-po position] [-pO position] | -p all> [-a] [-ci count] [-co count] [-v VSID]

  • For IPv6:

    [Expert@HostName]# fw6 monitor [-h] [-u|-s] [-i] [-d] [-D] [-t] [{-e <expr>}+ | -f <filter_file_name>|-] [-l length] [-m i|I|o|O] [-x offset[,length]] [-o <output_file_name>] <[-pi position] [-pI position] [-po position] [-pO position] | -p all> [-a] [-ci count] [-co count] [-v VSID]

 

Flag Explanation
-h Displays the usage.
-i

Flushes the standard output.

Use this flag to make sure that captured data for each packet is at once written to standard output. This is especially useful if you want to kill a running FW Monitor process, and want to be sure that all data is written to a file.
-d
-D

Starts the FW Monitor in debug mode.

This will give you an insight into FW Monitor's inner workings, although this option is only rarely used outside Check Point.
Use the "-D" flag will produce an even more verbose output.
-t

When compiling the INSPECT filter, includes $FWDIR/lib/tcpip.def, which allows using TCP/IP macros.

Warning: Do not modify anything in $FWDIR/lib/tcpip.def or in any other $FWDIR/lib/*.def file by yourself. Check Point does not support any configuration with changed *.def files. An exception are modifications done together with Check Point Support (according to a Service Request) or found in SecureKnowldege.
{-e <expr>}+ |
-f <filter_file_name> | -

Captures only specific packets:

  • Set the filter expression on the command line using the -e <expr> switch
  • Read the filter expression from a file using the -f <filter_file_name> switch
  • Read the filter expression from the standard input using the -f - switch

For further information, refer to "How to use FW Monitor" document.

Note:
When using filter expressions on the command line (using "-e <expr>" switch), make sure that the expressions are properly quoted.
On Windows and UNIX operating systems, this can be done by surrounding the expression with single quote ' (ASCII value 39), or double quotes " (ASCII value 34).
Depending on the given operating system and shell, there might be differences between the two forms - especially when using special characters, or (shell) variables in the filter expression.
-l length

Limits the length of the captured packets. FW Monitor will read only as many bytes from the kernel as specified by the length.

Make sure to capture as least as many bytes, so that the L3 IP header and L4 Transport header are included. This option allows capturing only the headers of a packet (e.g., IP and TCP), while omitting the actual payload, and thus decreases the size of the output file (by omitting the payload).

FW Monitor uses a buffer to transfer the packets from Check Point kernel to user space. If the size of the captured packets is reduced, this buffer will not fill up so fast.
-m i
-m I
-m o
-m O

Capture masks. By default, FW Monitor captures packets before and after the FireWall Virtual Machine in both directions.
This flag allows to specify the positions (kernel chains), where the traffic should be captured:

  • i - Pre-Inbound
  • I - Post-Inbound
  • o - Pre-Outbound
  • O - Post-Outbound
For further information, refer to "How to use FW Monitor" document.
-x offset[,length]

Prints packet/payload raw data in addition to the IP and Transport headers. Optionally it is also possible to limit the data written to the screen.

For further information, refer to "How to use FW Monitor" document.
-o <output_file_name> Writes the captured raw data into an output file.
The format of an output file is the same format used by tools like snoop (refer to RFC 1761 for further information). This output file can be later analyzed by tools like WireShark.
-pi position
-pI position
-po position
-pO position
-p all

Inserts FW Monitor chain module at a specific position between Check Point kernel chains.

In addition to capture masks (which give the ability to specify a specific position), this flag defines where exactly (in Check Point kernel chains) the packets should be captured.

For further information, refer to "How to use FW Monitor" document.
-a

Uses absolute chain positions (in Check Point kernel chains). This flag changes the chain ID from a relative value (which only makes sense with the matching output from fw ctl chain command) to an absolute value.

If the captured data is saved into an output file (using the "-o <output_file_name>" switch), one of the fields written into the output file would be the chain position of the FW Monitor chain module.
Together with a simultaneous execution of "fw ctl chain" command you can determine where the packet was captured. Especially when using "-p all" switch, you will find the same packet captured multiples times at different chain positions.
-ci count
-co count

Captures a specific number of packets.

This is especially useful in situations where the FireWall is filtering high amounts of traffic. In such scenarios, FW Monitor may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take very long time.

It is possible to use the "-ci" and the "-co" switches together. FW Monitor will stop capturing packets if the number of packets for one of the two counters reaches the specified "count".
-u | -s

Prints connection's Universal-Unique-ID (UUID), or connection's Session UUID (SUUID) for every packet.

Note that it is only possible to print the UUID or the SUUID - not both.

For further information, refer to "(5-C) FW Monitor Syntax and Usage - Using the UUID feature" section and to "How to use FW Monitor" document.
-v VSID

Applies only to VSX NG, VSX NGX, and VSX NGX R6x versions.

Captures the packets on a specific Virtual Router or Virtual System on VSX Gateway (Example: fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap)

 

(5-B) FW Monitor Syntax and Usage - Syntax comparison between TCPdump and FW Monitor

Note: Refer to https://linux.die.net/man/8/tcpdump.

Function Flag in TCPdump Flag in FW Monitor Notes
Save output into a file -w <output_file_name> -o <output_file_name>  
Capture specified number
of bytes per packet
-s snaplen -l length

For TCPdump:

  • If not specified, than 65535 bytes are captured
  • It is recommended to use "-s 1500"
  • Setting snaplen to 0 sets it to the default of 65535 bytes

For FW Monitor:

  • By default, not needed
  • Refer to the table above
Automatically exit after
specified number of
packets was captured
-c count -ci count
-co count

For FW Monitor:

  • Refer to the table above
Print payload content -X -x offset[,length]

For TCPdump:

  • In addition to printing the headers of each packet, prints the data
    of each packet (minus its Link Level header) in Hex and ASCII

For FW Monitor:

  • Refer to the table above
Display timestamps on CLI
(when not saving
output into a file)
-tt N/A

For TCPdump:

  • Prints an unformatted timestamp on each dump line.
-ttt -T

For TCPdump:

  • Prints a delta (micro-second resolution) between
    current and previous line on each dump line.
-ttt N/A

For TCPdump:

  • Prints a delta (micro-second resolution) between
    current and previous line on each dump line.
-tttt N/A

For TCPdump:

  • Prints a timestamp in default format
    preceeded by date on each dump line.
-ttttt N/A

For TCPdump:

  • Print a delta (micro-second resolution) between
    current and first line on each dump line.
Display verbose
output on CLI
(when not saving
output into a file)
-v -d

For TCPdump:

  • Produces slightly more verbose output.
    For example, the TTL, Identification, total length and options
    in an IP packet are printed. Also enables additional packet
    integrity checks, such as verifying the IP and ICMP header checksum.

For FW Monitor:

  • Refer to the table above
-vv -D

For TCPdump:

  • Produces even more verbose output.
    For example, additional fields are printed
    from NFS reply packets, and SMB packets
    are fully decoded.

For FW Monitor:

  • Refer to the table above
-vvv -D

For TCPdump:

  • Produces even more verbose output.
    For example, telnet SB ... SE options
    are printed in full. With "-X", Telnet options
    are printed in Hex as well.

For FW Monitor:

  • Refer to the table above

 

(5-C) FW Monitor Syntax and Usage - Using the UUID feature

  • Background

    The purpose of the new FW Monitor feature is to use the UUID feature (that was introduced in NG AI family) in order to follow connections passing through the FireWall.

    Following connections through the FireWall is not always a trivial task since in many cases the FireWall modifies information in the original packet. These cases include:

    • NAT, both Static and Dynamic (Hide)
    • Security Servers
    • VPN Encryption

    In Check Point NG AI version, a Universal-Unique-IDentifier (UUID) was introduced as the basis for the log unification mechanism. A UUID is given to every new connection passing through the FireWall. This way, all packets that belong to the connection can be identified and can later be unified on Security Management Server.

    This new infrastructure has given us the ability to enhance the "FW Monitor" utility. The FW Monitor utility is a tcpdump/snoop-like tool that allows us to monitor packets as they pass through the FireWall. The FW Monitor module registers itself as the first and the last module on the chain, allowing us to see any modifications done by the FireWall on the original packet. With the addition of the UUID field to the FW Monitor, entire connections can be monitored as they pass through the FireWall.

  • The UUID feature

    The original UUID is an array, composed of 4 unsigned 32-bit integers, in which only the first two integers are relevant:
    UUID[0] is a timestamp.
    UUID[1] is a counter used whenever UUID[0] is not unique.
    UUID[2] is the IP address of the local firewall (constant)
    UUID[3] is a process number (currently a constant that can be ignored).

    The UUID feature can be activated with one of the following switches:

    • -u = displays the UUID
    • -s = displays the session UUID, meaning, display a single (parent) UUID of complex connections involving data/control connections (such as FTP, H.323, etc.)

    Since we are pressed for space in the header fields of the captured packet, the original UUID has been manipulated to be 1 unsigned long 32-bit integer. It is currently composed of the 2 least significant bytes of UUID[1] (16 bits) attached to the 2 least significant bytes of UUID[0] (16 bits). This gives us the following amount of unique IDs:

    • 216 IDs per second
    • 216 seconds

    This UUID is then placed in the last four bytes of the Ethernet MAC Source header field.

    The new Ethernet header MAC fields are now:

    • 2 bytes - i/I/o/O
    • 6 bytes - Interface Name
    • 4 bytes - UUID

    In addition, it is possible to redirect the FW Monitor output to an ASCII file instead of saving it in a tcpdump/snoop format. If this is the case, the 32-bit manipulated UUID is displayed as the first field of each line followed by the entire UUID array.

  • Filtering

    When viewing the captured file, it is now possible to view the connection by filtering the file by the UUID. This is done by first opening the captured file, finding a packet that belongs to the connection, and getting the last four bytes of the Source MAC address. Then, convert these four bytes to Decimal format and filter the captured file as follows:

    # tcpdump -r <captured_file_name> -e -v -xx "ether[8:4] = 0xHHHH"

    # snoop -i <captured_file_name> -v -x0 "ether[8:4] = 0xHHHH"

    where HHHH is the decimal equivalent of the last four bytes of the Source MAC address.

  • Debugging

    The UUID feature can be debugged by collecting the "fw ctl debug -m fw + chain conn" debug.

    Note: The 'filter' flag may also provide some information, but also produces many irrelevant printouts.
  • Notes

    • The UUID of the first packet of every new connection before the VM is always 0.
    • The UUID on encrypted packets is also 0.
    • When running the UUID feature and redirecting the output to a captured file, only the first 6 bytes of the interface name will be displayed.
    • The compressed UUID can be similar if taken on two different machines (since the IP address portion of the original UUID was not taken into consideration). In addition, it can also be similar if taken days apart (since the counter portion of the compressed UUID will repeat every 18 hours).

 

(6) SecureClient Syntax

  • SecurRemote and SecureClient R56 / R60 uses an abridged version of FW Monitor - called srfw monitor:

    %SRDIR%\bin\srfw monitor [-d] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i | I | o | O] [-x offset[,length]] [-o <output_file_name>]

    Refer to SecureClient R56 for Mac OS X Release Notes (Mac OS X 10.3, Mac OS X 10.4) and to Debugging SecuRemote/SecureClient.

  • Starting in E75.30, SecurRemote and SecureClient uses command line packet monitoring utility (PacketMon.exe) - called packetmon:

    packetmon [-d] [-h] [-t] [-T] [-i] [-I] [-r] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i | I | o | O] [-x offset[,length]] [-o <output_file_name>] [-ci count] [-co count]

    Refer to Remote Access Clients for Windows 32/64-bit Administration Guide (E75.30, E80.41, E80.50) - Chapter 'Monitoring and Troubleshooting' - Troubleshooting the Firewall - Desktop Firewall Monitoring.

 

(7) Capture Examples

Refer to $FWDIR/lib/fwmonitor.def file for useful macro definitions.

Refer to "How to use FW Monitor" document - 'Logical and Relational Operators' section.

 

(7-A) Capture Examples - Usual Capture

Capture everything, save the data into the file:

[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap

 

(7-B) Capture Examples - Host Specific Capture

To specify a host, you can use the following expression:

  • Either use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to both Source IP address and Destination IP address

  • Or use specific Source IP address "src=<IP_Address_in_Doted_Decimal_format>" and specific Destination IP address "dst=<IP_Address_in_Doted_Decimal_format>"

Examples:

  • Capture everything between host X and host Y:

    [Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
  • Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:

    [Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap
  • Capture everything to/from host X or to/from host Y or to/from host Z:

    [Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(y.y.y.y) or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z or dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap

 

(7-C) Capture Examples - Port Specific Capture

Note: Port number in the syntax has to be provided in Decimal format. Refer to /etc/services file on the machine, or to http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

To specify a port, you can use the following expression:

  • Either use "port(<IANA_Port_Number>)", which applies to both Source Port and Destination Port

  • Or use specific Source Port "sport=<IANA_Port_Number>" and specific Destination Port "dport=<IANA_Port_Number>"

  • In addition:

    • For specific TCP port, you can use "tcpport(<IANA_Port_Number>)", which applies to both Source TCP Port and Destination TCP Port
    • For specific UDP port, you can use "udpport(<IANA_Port_Number>)", which applies to both Source UDP Port and Destination UDP Port

Examples:

  • Capture everything to/from port X:

    [Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "(sport=x or dport=x), accept;" -o /var/log/fw_mon.cap
  • Capture everything except port X:

    [Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "not (sport=x or dport=x), accept;" -o /var/log/fw_mon.cap
  • Capture everything except SSH:

    [Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "not (sport=22 or dport=22), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "not tcpport(22), accept;" -o /var/log/fw_mon.cap
  • Capture everything to/from host X except SSH:

    [Expert@HostName]# fw monitor -e "(host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) and (not (sport=22 or dport=22))), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "(host(x.x.x.x) and not tcpport(22)), accept;" -o /var/log/fw_mon.cap
  • Capture everything except NTP:

    [Expert@HostName]# fw monitor -e "not udpport(123), accept;" -o /var/log/fw_mon.cap

 

(7-D) Capture Examples - Protocol Specific Capture

Note: Protocol number in the expression has to be provided in Decimal format. Refer to /etc/protocols file on the machine, or to http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

To specify a protocol, you can use the following expression:

  • Either use "ip_p=<IANA_Protocol_Number>"

    Examples:

    • To specify TCP protocol with byte offset, use "ip_p=6"
    • To specify UDP protocol with byte offset, use "ip_p=11"
    • To specify ICMP protocol with byte offset, use "ip_p=1"
  • Or use "accept [9:1]=<IANA_Protocol_Number>"

    (This byte offset syntax is described in the "Capture Examples - Bytes Specific Capture" section)

    Examples:

    • To specify TCP protocol with byte offset, use "accept [9:1]=6"
    • To specify UDP protocol with byte offset, use "accept [9:1]=11"
    • To specify ICMP protocol with byte offset, use "accept [9:1]=1"
  • In addition, you can explicitly use the following expressions to specify protocols:

    Which protocol
    to specify
    On which port(s)
    traffic will
    be captured
    Expression
    TCP --- "tcp, accept;"
    UDP --- "udp, accept;"
    ICMPv4 --- "icmp, accept;"
    or
    "icmp4, accept;"
    ICMPv6 --- "icmp6, accept;"
    HTTP TCP 80 "http, accept;"
    HTTPS TCP 443 "https, accept;"
    PROXY TCP 8080 "proxy, accept;"
    DNS UDP 53 "dns, accept;"
    IKE UDP 500 "ike, accept;"
    NAT-T UDP 4500 "natt, accept;"
    ESP
    and
    IKE
    IP proto 50
    and
    UDP 500
    "vpn, accept;"
    1. ESP
    2. IPsec over UDP
    3. IKE
    4. NAT-T
    5. CRL
    6. RDP
    7. Tunnel Test
    8. Topology
    9. L2TP
    10. SCV
    11. Multi-Portal
    12. etc.
    This captures all
    VPN-related data.
    1. IP proto 50
    2. UDP 2746
    3. UDP 500
    4. UDP 4500
    5. TCP 18264
    6. UDP 259
    7. UDP 18234
    8. TCP 264
    9. TCP 1701
    10. UDP 18233
    11. TCP 443 + TCP 444
    12. etc.
    "vpnall, accept;"
    Multi-Portal
    connections
    TCP 443
    and
    TCP 444
    "multi, accept;"
    SSH TCP 22 "ssh, accept;"
    FTP TCP 20
    and
    TCP 21
    "ftp, accept;"
    Telnet TCP 23 "telnet, accept;"
    SMTP TCP 25 "smtp, accept;"
    POP3 TCP 110 "pop3, accept;"

Examples:

  • Capture everything on protocol X:

    [Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap
  • Everything on protocol X and port Z on protocol Y:

    [Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap
  • Capture everything TCP between host X and host Y:

    [Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "tcp, host(x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
    [Expert@HostName]# fw monitor -e "accept [9:1]=6 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"
    [Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

 

(7-E) Capture Examples - Protocol Options Specific Capture

Note: Refer to the $FWDIR/lib/tcpip.def file on Security Gateway.

Protocol Expression Option Description
IPv4 ip_src = <IPv4_Address>

Source IPv4 address of the IPv4 packet

Example: fw monitor -e "ip_src = 192.168.22.33, accept;"
ip_dst = <IPv4_Address>

Destination IPv4 address of the IPv4 packet

Example: fw monitor -e "ip_dst = 192.168.22.33, accept;"
ip_ttl = <Number>

Time To Live of the IPv4 packet

Example: fw monitor -e "ip_ttl = 255, accept;"
ip_len = <Length_in_Bytes>

Total Length of the IPv4 packet in bytes

Example: fw monitor -e "ip_len = 64, accept;"
ip_tos = <Number>

TOS field of the IPv4 packet

Example: fw monitor -e "ip_tos = 0, accept;"
ip_p = <IANA_Protocol_Number>

IANA Protocol Number (either in Dec or in Hex) encapsulated in the IPv4 packet

Example 1 for TCP: fw monitor -e "ip_p = 6, accept;"
Example 2 for UDP: fw monitor -e "ip_p = 17, accept;"
Example 3 for UDP: fw monitor -e "ip_p = 0x11, accept;"
Example 4 for ICMP: fw monitor -e "ip_p = 1, accept;"
IPv6 ip_src6p = <IPv6_Address>

Source IPv6 address of the IPv6 packet

ip_dst6p = <IPv6_Address>

Destination IPv6 address of the IPv6 packet

ip_len6 = <Length_in_Bytes>

Payload Length of the IPv6 packet in bytes

ip_ttl6 = <Number>

Hop Limit ("Time To Live") of the IPv6 packet

ip_p6 = <IANA_Protocol_Number>

Next Header of the IPv6 packet - encapsulated IANA Protocol Number

Example: fw monitor -e "ip_p6 = 6, accept;"
TCP syn

SYN flag is set in TCP packet

Example: fw monitor -e "ip_p = 6, syn, accept;"
ack

ACK flag is set in TCP packet

Example: fw monitor -e "ip_p = 6, ack, accept;"
rst

RST flag is set in TCP packet

Example: fw monitor -e "ip_p = 6, rst, accept;"
fin

FIN flag is set in TCP packet

Example: fw monitor -e "ip_p = 6, fin, accept;"
first

First packet of TCP connection
(i.e., SYN flag is set, but ACK flag is not set in TCP packet)

Example: fw monitor -e "ip_p = 6, first, accept;"
not_first

Not the first packet of TCP connection
(i.e., SYN flag is not set in TCP packet)

Example: fw monitor -e "ip_p = 6, not_first, accept;"
established

Established TCP connection
(i.e., either ACK flag is set, or SYN flag is not set in TCP packet)

Example: fw monitor -e "ip_p = 6, established, accept;"
last

Last packet of TCP connection
(i.e., both ACK flag and FIN flag are set in TCP packet)

Example: fw monitor -e "ip_p = 6, last, accept;"
tcpdone

End of TCP connection
(i.e., either RST flag is set, or FIN flag is set in TCP packet)

Example: fw monitor -e "ip_p = 6, tcpdone, accept;"
th_flags = <Sum_of_Flags_Hex_Values>

General way to match the flags inside in TCP packets:

Syntax Explanation Example
th_flags = 0x2 SYN flag is set in TCP packet fw monitor -e "th_flags = 0x2, accept;"
th_flags = 0x10 ACK flag is set in TCP packet fw monitor -e "th_flags = 0x10, accept;"
th_flags = 0x8 PSH flag is set in TCP packet fw monitor -e "th_flags = 0x8, accept;"
th_flags = 0x1 FIN flag is set in TCP packet fw monitor -e "th_flags = 0x1, accept;"
th_flags = 0x4 RST flag is set in TCP packet fw monitor -e "th_flags = 0x4, accept;"
th_flags = 0x20 URG flag is set in TCP packet fw monitor -e "th_flags = 0x20, accept;"
th_flags = 0x12 SYN flag (0x2) and ACK flag (0x10) are set in TCP packet fw monitor -e "th_flags = 0x12, accept;"
th_flags = 0x18 PSH flag (0x8) and ACK flag (0x10) are set in TCP packet fw monitor -e "th_flags = 0x18, accept;"
th_flags = 0x11 FIN flag (0x1) and ACK flag (0x10) are set in TCP packet fw monitor -e "th_flags = 0x11, accept;"
th_flags = 0x14 RST flag (0x4) and ACK flag (0x10) are set in TCP packet fw monitor -e "th_flags = 0x14, accept;"
th_sport = <Port_Number>

TCP source port (refer to IANA Port Number Registry)

Example: fw monitor -e "th_sport = 59259, accept;"
th_dport = <Port_Number>

TCP destination port (refer to IANA Port Number Registry)

Example: fw monitor -e "th_dport = 22, accept;"
th_seq = <Number>

TCP sequence number (either in Dec or in Hex)

Example 1: fw monitor -e "th_seq = 3937833514, accept;"
Example 2: fw monitor -e "th_seq = 0xeab6922a, accept;"
th_ack = <Number>

TCP acknowledged number (either in Dec or in Hex)

Example 1: fw monitor -e "th_ack = 509054325, accept;"
Example 2: fw monitor -e "th_ack = 0x1e578d75, accept;"
UDP uh_sport = <Port_Number>

UDP source port (refer to IANA Port Number Registry)

Example: fw monitor -e "uh_sport = 8116, accept;"
uh_dport = <Port_Number>

UDP destination port (refer to IANA Port Number Registry)

Example: fw monitor -e "uh_dport = 53, accept;"
ICMPv4 icmp_type = <Number>

ICMPv4 packets with specified Type

Example: fw monitor -e "icmp_type = 0, accept;"
icmp_code = <Number>

ICMPv4 packets with specified Code

Example: fw monitor -e "icmp_code = 0, accept;"
icmp_id = <Number>

ICMPv4 packets with specified Identifier

Example: fw monitor -e "icmp_id = 20583, accept;"
icmp_seq = <Number>

ICMPv4 packets with specified Sequence number

Example: fw monitor -e "icmp_seq = 1, accept;"
echo_req

ICMPv4 Echo Request packets (Type 8, Code 0)

Example: fw monitor -e "echo_req, accept;"
echo_reply

ICMPv4 Echo Reply packets (Type 0, Code 0)

Example: fw monitor -e "echo_reply, accept;"
ping

ICMPv4 Echo Request and ICMPv4 Echo Reply packets

Example: fw monitor -e "ping, accept;"
traceroute

Traceroute packets as implemented in Unix OS (UDP packets on ports above 30000 and with TTL<30; or ICMP Time exceeded packets)

Example: fw monitor -e "traceroute, accept;"
tracert

Traceroute packets as implemented in Windows OS (ICMP Request packets with TTL<30; or ICMP Time exceeded packets)

Example: fw monitor -e "tracert, accept;"
icmp_ip_len = <length>

Length of ICMPv4 packets

Example: fw monitor -e "icmp_ip_len = 84, accept;"
ICMPv6 icmp6_type = <Number>

ICMPv6 packets with specified Type

Example: fw monitor -e "icmp6_type = 1, accept;"
icmp6_code = <Number>

ICMPv6 packets with specified Code

Example: fw monitor -e "icmp6_code = 3, accept;"

 

(7-F) Capture Examples - Bytes Specific Capture

Simple checks are used to check for a value at a specific offset in the packet:

[Expert@HostName]# fw monitor -e "accept [ offset : length , order ] relational-operator value;"

Field Explanation
offset Specifies the offset relative to the beginning of the IP packet from where the value should be read.
length Specifies the number of bytes:
  • 1 = byte
  • 2 = word
  • 4 = dword
If length is not specified, FW Monitor assumes 4 (dword).
order Specifies the byte order:
  • b = big endian, or network order
  • l = little endian, or host order
If order is not specified, FW Monitor assumes little endian byte order.
relational-operator

Relational operator to express the relation between the packet data and the value:

< less than
> greater than
<= less than or equal to
>= greater than
= equal to
is
!= not equal to
is not
value One of the data types known to INSPECT (e.g., an IP address, or an integer).

 

The IP-based protocols are stored in the IP packet as a byte at offset 9:

  • To filter based on a Protocol encapsulated into IP, use this syntax:

    [Expert@HostName]# fw monitor -e "accept [9:1]=<IANA_Protocol_Number>;"

The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address):

  • To filter based on a Source IP address, use this syntax:

    [Expert@HostName]# fw monitor -e "accept [12:4,b]=<IP_Address_in_Doted_Decimal_format>;"
  • To filter based on a Destination IP address, use this syntax:

    [Expert@HostName]# fw monitor -e "accept [16:4,b]=<IP_Address_in_Doted_Decimal_format>;"

The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port):

  • To filter based on a Source port, use this syntax:

    [Expert@HostName]# fw monitor -e "accept [20:2,b]=<Port_Number_in_Decimal_format>;"
  • To filter based on a Destination port, use this syntax:

    [Expert@HostName]# fw monitor -e "accept [22:2,b]=<Port_Number_in_Decimal_format>;"

 

Examples:

  • Capture everything between host X and host Y:

    [Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));"
  • Capture everything on port X:

    [Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap

 

(7-G) Capture Examples - Network Specific Capture

To capture traffic to/from a network, you need to specify the network address and length of network mask (number of bits).

There are 3 options:

Traffic direction Expression
To or From a network "net(<Network_IP_Address>, <Mask_Length>), accept;"
To a network "to_net(<Network_IP_Address>, <Mask_Length>), accept;"
From a network "from_net(<Network_IP_Address>, <Mask_Length>), accept;"

Examples:

  • Capture everything to/from network 192.168.33.0 / 24:

    [Expert@HostName]# fw monitor -e "net(192.168.33.0, 24), accept;"
  • Capture everything sent to network 192.168.33.0 / 24:

    [Expert@HostName]# fw monitor -e "to_net(192.168.33.0, 24), accept;"
  • Capture everything sent from network 192.168.33.0 / 24:

    [Expert@HostName]# fw monitor -e "from_net(192.168.33.0, 24), accept;"

 

(7-H) Capture Examples - Some Examples

  • Capture ESP protocol or UDP port 161 (SNMP):

    [Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
  • Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP):

    [Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
  • Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs):

    [Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
  • Capture Edge communication between 10.10.10.10, or 20.20.20.20, or 30.30.30.30 and on UDP ports 9281, or 9282, or 9283:

    [Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap

 

  1. Detailed information regarding the usage of the fw monitor command can be found in the "How to use FW Monitor" document.

    Notes:

    • This document applies to Security Gateways of all existing Check Point versions, regardless of operating system.
    • Ignore the outdated links provided in the document in the "Secure Knowledge Links" section.
  2. $FWDIR/lib/tcpip.def file on Security Gateway

  3. $FWDIR/lib/fwmonitor.def file on Security Gateway

 

Applies To:
  • This solution replaces: 10022.0.1862922.2481845 , sk1062 , 10022.0.1862930.2481845 , sk3474 , 10022.0.2594497.2500363 , skI4444 , 55.0.12289645.2846374 , 55.0.12289624.2846374 , sk41045, skI5125

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment