Support Center > My Favorites > SecureKnowledge Details
What is FW Monitor? Technical Level
Solution

Table of Contents:

  1. Introduction
  2. Warnings
  3. FW Monitor Features
  4. FW Monitor Functionality
  5. FW Monitor Syntax and Usage
    1. Syntax
    2. Comparison with TCPdump
    3. Using the UUID feature
  6. SecureClient Syntax
  7. Capture Examples of "-e" flag
    1. Usual Capture
    2. Host Specific Capture
    3. Port Specific Capture
    4. Protocol Specific Capture
    5. Protocol Options Specific Capture
    6. Bytes Specific Capture
    7. Network Specific Capture
    8. Some Examples
  8. Capture Examples of "-F" flag
    1. Usual Capture
    2. Host Specific Capture
    3. Port Specific Capture
    4. Protocol Specific Capture
  9. Related Documentation
  10. Related Solutions

 

(1) Introduction

Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark (available for free from www.wireshark.org).

 

(2) Warnings

  • Anything related to policy installation or policy unloading on Security Gateway, will cause FW Monitor to exit.

  • It is supported to run only a single instance of FW Monitor at any given time.

  • Do not modify Check Point kernel tables used in the security policy while FW Monitor is running, otherwise unexpected behavior may result (including a system crash).

  • Packets are defragmented as they leave the Security Gateway in both the inbound and outbound directions.

  • If SecureXL is enabled on the Security Gateway, then FW Monitor and tcpdump will show only the non-accelerated packets (e.g., 'TCP SYN' will be shown, and 'TCP ACK' will not).

  • Important Note: Traffic captures can be misleading when working with SecureXL since both FW Monitor and TCPdump do not always show 'real' packets that are going out to the network. This is related to the way the SecureXL kernel driver is attached to the network adapter itself. When using SecureXL to confirm whether packets are being handled correctly, either capture the traffic on the directly connected router / switch, or disable SecureXL.

  • From R80.20 Jumbo HotFix - Ongoing Take 73, added ability to FW Monitor to support monitoring of accelerated traffic by default. 

Monitored traffic

  • Since R80.20, 1st Accelerated packet will be monitored only in inbound (i).
  • Since R80.20 Jumbo take 73, Accelerated traffic in fast path will monitor inbound and outbound.
  • Since R80.20 Jumbo take 117, Slow Path, Med Path and Fast Path are monitored.
  • In R80.30, default behavior is like R80.20 prior to Jumbo take 72.
  • In R80.40, Default behavior will be to monitor all traffic.

Filtering options

  • Since R80.20 Jumbo take 73, using the "-e" flag will not filter accelerated traffic (all accelerated traffic will be monitored). To Filter accelerated traffic use the "-F" flag (exists from Jumbo take 73)
  • Since R80.20 Jumbo take 117, using the "-e" flag will filter out all accelerated traffic. To filter and monitor Accelerated traffic use "-F" (exists from Jumbo take 73)

In R80.30, Accelerated traffic is not monitored.

     

    (3) FW Monitor Features

    In many deployment and support scenarios, capturing network packets is an essential functionality. The tcpdump / snoop utilities are normally used for this task. The FW Monitor utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools:

    • No Security Flaws

      tcpdump / snoop are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's FW Monitor does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like tcpdump / snoop, because of their security risks.
    • Available on FireWall Installations

      FW Monitor is a built-in tool that does not need a separate installation, or licensing.
    • Multiple Capture Positions within the FireWall Kernel Module Chains

      FW Monitor allows to capture packets at multiple capture positions within the Security Gateway kernel module chains, both for inbound and outbound packets. This enables to trace a packet through the different layers of the Security Gateway.
    • Same Tool and Syntax on All Platforms

      FW Monitor is available on all different platforms. tcpdump / snoop are often platform-dependent, or have specific "enhancements" on certain platforms. FW Monitor and all its related functionality and syntax are identical across all platforms.

    Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS, etc. FW Monitor adds its own modules to capture packets. FW Monitor can capture all packets that are seen and/or forwarded by the Security Gateway.

     

    (4) FW Monitor Functionality

    There are four inspection points when a packet passes through a Security Gateway:

    # Traffic
    direction (*)
    Relation to
    FireWall
    Virtual Machine
    Name of
    inspection
    point
    Notion of
    inspection
    point
    1 Inbound Before the inbound FW VM Pre-Inbound "i"
    2 Inbound After the inbound FW VM Post-Inbound "I"
    3 Outbound Before the outbound FW VM Pre-Outbound "o"
    4 Outbound After the outbound FW VM Post-Outbound "O"

    (*) The traffic direction (inbound/outbound) relates to each specific packet, and not to the connection.

    Note: When VPN is enabled, additional inspection points are added:

    • e - before VPN encryption 
    • E - after VPN encryption 
    • d - before VPN decryption
    • D - after VPN decryption

    Note: When QOS is enabled, additional inspection points are added:

    • q - before QOS chain module
    • Q - after QOS chain module

    Let us examine a TCP handshake in the following topology:

    [Client] --- (eth1)[Security Gateway](eth2) --- [Server]
    1. TCP SYN from [Client] will pass through Pre-Inbound and Post-Inbound on interface eth1: [Client] --- (eth1) {Pre-Inbound + Post-Inbound} [Security Gateway](eth2) --- [Server]
    2. TCP SYN from [Client] will pass through Pre-Outbound and Post-Outbound on interface eth2:

      [Client] --- (eth1)[Security Gateway] {Pre-Outbound and Post-Outbound} (eth2) --- [Server]
    3. TCP SYN-ACK from [Server] will pass through Pre-Inbound and Post-Inbound on interface eth2:

      [Client] --- (eth1)[Security Gateway] {Pre-Inbound + Post-Inbound} (eth2) --- [Server]
    4. TCP SYN-ACK from [Server] will pass through Pre-Outbound and Post-Outbound on interface eth1:

      [Client] --- (eth1) {Pre-Outbound and Post-Outbound} [Security Gateway](eth2) --- [Server]
    5. TCP ACK from [Client] will pass through Pre-Inbound and Post-Inbound on interface eth1:

      [Client] --- (eth1) {Pre-Inbound + Post-Inbound} [Security Gateway](eth2) --- [Server]
    6. TCP ACK from [Client] will pass through Pre-Outbound and Post-Outbound on interface eth2:

      [Client] --- (eth1)[Security Gateway] {Pre-Outbound and Post-Outbound} (eth2) --- [Server]

    Once started, the FW Monitor compiles the INSPECT filter (created as $FWDIR/tmp/monitorfilter.pf) based on the specified syntax (which packets to capture), and loads it to the Check Point kernel (not replacing the Security Policy). The FW Monitor will then continuously get packets from the Check Point kernel, and depending on the syntax, will either display them on the terminal window , or will save them in the output capture file. Upon an interrupt signal (key combination CTRL + C), the FW Monitor stops, unloads the INSPECT filter, and exits.

     

    (5) FW Monitor Syntax and Usage

    (5-A) FW Monitor Syntax and Usage - Syntax

    • For IPv4:

      [Expert@HostName]# fw monitor [-h] [-u|-s] [-i] [-d] [-D] [-t] [{-e <expr>}+ | -f <filter_file_name>|-] [-l length] [-m i|I|o|O] [-x offset[,length]] [-o <output_file_name>] <[-pi position] [-pI position] [-po position] [-pO position] | -p all> [-a] [-ci count] [-co count] [-v VSID
      Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.

      [-w whole packet] [-F simple filter "<src IP>,<src port>,<dst IP>,<dst port>,<protocol num>"] [-U clear]

    • For IPv6:

      [Expert@HostName]# fw6 monitor [-h] [-u|-s] [-i] [-d] [-D] [-t] [{-e <expr>}+ | -f <filter_file_name>|-] [-l length] [-m i|I|o|O] [-x offset[,length]] [-o <output_file_name>] <[-pi position] [-pI position] [-po position] [-pO position] | -p all> [-a] [-ci count] [-co count] [-v VSID
      Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.  
      [-w whole packet] 
      [-F simple filter "<src IP>,<src port>,<dst IP>,<dst port>,<protocol num>"] [-U clear]

     

    Flag Explanation
    -h Displays the usage.
    -i

    Flushes the standard output.

    Use this flag to make sure that captured data for each packet is at once written to standard output. This is especially useful if you want to kill a running FW Monitor process, and want to be sure that all data is written to a file.
    -d
    -D

    Starts the FW Monitor in debug mode.

    This will give you an insight into FW Monitor's inner workings, although this option is only rarely used outside Check Point.
    Use the "-D" flag will produce an even more verbose output.
    -t

    When compiling the INSPECT filter, includes $FWDIR/lib/tcpip.def, which allows using TCP/IP macros.

    Warning: Do not modify anything in $FWDIR/lib/tcpip.def or in any other $FWDIR/lib/*.def file by yourself. Check Point does not support any configuration with changed *.def files. An exception are modifications done together with Check Point Support (according to a Service Request) or found in SecureKnowldege.
    {-e <expr>}+ |
    -f <filter_file_name> | -

    Note: From version R80.20 Jumbo Jotfix Accumulator take_73, the "-e" flag is not supported for Accelerated traffic.

    Captures only specific packets:

    • Set the filter expression on the command line using the -e <expr> switch
    • Read the filter expression from a file using the -f <filter_file_name> switch
    • Read the filter expression from the standard input using the -f - switch

    For further information, refer to "How to use FW Monitor" document.

    Note:
    When using filter expressions on the command line (using "-e <expr>" switch), make sure that the expressions are properly quoted.
    On Windows and UNIX operating systems, this can be done by surrounding the expression with single quote ' (ASCII value 39), or double quotes " (ASCII value 34).
    Depending on the given operating system and shell, there might be differences between the two forms - especially when using special characters, or (shell) variables in the filter expression.
    -l length

    Limits the length of the captured packets. FW Monitor will read only as many bytes from the kernel as specified by the length.

    Make sure to capture as least as many bytes, so that the L3 IP header and L4 Transport header are included. This option allows capturing only the headers of a packet (e.g., IP and TCP), while omitting the actual payload, and thus decreases the size of the output file (by omitting the payload).

    FW Monitor uses a buffer to transfer the packets from Check Point kernel to user space. If the size of the captured packets is reduced, this buffer will not fill up so fast.
    -m i
    -m I
    -m o
    -m O

    Capture masks. By default, FW Monitor captures packets before and after the FireWall Virtual Machine in both directions.
    This flag allows to specify the positions (kernel chains), where the traffic should be captured:

    • i - Pre-Inbound
    • I - Post-Inbound
    • o - Pre-Outbound
    • O - Post-Outbound
    For further information, refer to "How to use FW Monitor" document.
    -x offset[,length]

    Prints packet/payload raw data in addition to the IP and Transport headers. Optionally it is also possible to limit the data written to the screen.

    For further information, refer to "How to use FW Monitor" document.
    -o <output_file_name> Writes the captured raw data into an output file.
    The format of an output file is the same format used by tools like snoop (refer to RFC 1761 for further information). This output file can be later analyzed by tools like WireShark.
    -pi position
    -pI position
    -po position
    -pO position
    -p all

    Inserts FW Monitor chain module at a specific position between Check Point kernel chains.

    In addition to capture masks (which give the ability to specify a specific position), this flag defines where exactly (in Check Point kernel chains) the packets should be captured.

    For further information, refer to "How to use FW Monitor" document.
    -a

    Uses absolute chain positions (in Check Point kernel chains). This flag changes the chain ID from a relative value (which only makes sense with the matching output from fw ctl chain command) to an absolute value.

    If the captured data is saved into an output file (using the "-o <output_file_name>" switch), one of the fields written into the output file would be the chain position of the FW Monitor chain module.
    Together with a simultaneous execution of "fw ctl chain" command you can determine where the packet was captured. Especially when using "-p all" switch, you will find the same packet captured multiples times at different chain positions.
    -ci count
    -co count

    Captures a specific number of packets.

    This is especially useful in situations where the FireWall is filtering high amounts of traffic. In such scenarios, FW Monitor may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take very long time.

    It is possible to use the "-ci" and the "-co" switches together. FW Monitor will stop capturing packets if the number of packets for one of the two counters reaches the specified "count".
    -u | -s

    Prints connection's Universal-Unique-ID (UUID), or connection's Session UUID (SUUID) for every packet.

    Note that it is only possible to print the UUID or the SUUID - not both.

    For further information, refer to "(5-C) FW Monitor Syntax and Usage - Using the UUID feature" section and to "How to use FW Monitor" document.
    -v VSID

    Applies only to VSX NG, VSX NGX, and VSX NGX R6x versions.

    Captures the packets on a specific Virtual Router or Virtual System on VSX Gateway (Example: fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap)
    -w

    When using -o/ -x flag, there is an option to print whole raw data of packet.

    Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.

    -F "<src IP>, <src port>, <dst IP>,
    <dst port>, <protocol num>"

    Filtering the packets based on IP/port/protocol.
    Notes:
    • Value 0 is used as "any".
    • Up to 5 filters are supported. Multiple filters are applied on packets in OR logical manner.

    Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30. 

    -U

    Factory default of fw monitor.

    Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.

     

    (5-B) FW Monitor Syntax and Usage - Syntax comparison between TCPdump and FW Monitor

    Note: Refer to https://linux.die.net/man/8/tcpdump.

    Function Flag in TCPdump Flag in FW Monitor Notes
    Save output into a file -w <output_file_name> -o <output_file_name>  
    Capture specified number
    of bytes per packet
    -s snaplen -l length

    For TCPdump:

    • If not specified, than 65535 bytes are captured
    • It is recommended to use "-s 1500"
    • Setting snaplen to 0 sets it to the default of 65535 bytes

    For FW Monitor:

    • By default, not needed
    • Refer to the table above
    Automatically exit after
    specified number of
    packets was captured
    -c count -ci count
    -co count

    For FW Monitor:

    • Refer to the table above
    Print payload content -X -x offset[,length]

    For TCPdump:

    • In addition to printing the headers of each packet, prints the data
      of each packet (minus its Link Level header) in Hex and ASCII

    For FW Monitor:

    • Refer to the table above
    Display timestamps on CLI
    (when not saving
    output into a file)
    -tt N/A

    For TCPdump:

    • Prints an unformatted timestamp on each dump line.
    -ttt -T

    For TCPdump:

    • Prints a delta (micro-second resolution) between
      current and previous line on each dump line.
    -ttt N/A

    For TCPdump:

    • Prints a delta (micro-second resolution) between
      current and previous line on each dump line.
    -tttt N/A

    For TCPdump:

    • Prints a timestamp in default format
      preceeded by date on each dump line.
    -ttttt N/A

    For TCPdump:

    • Print a delta (micro-second resolution) between
      current and first line on each dump line.
    Display verbose
    output on CLI
    (when not saving
    output into a file)
    -v -d

    For TCPdump:

    • Produces slightly more verbose output.
      For example, the TTL, Identification, total length and options
      in an IP packet are printed. Also enables additional packet
      integrity checks, such as verifying the IP and ICMP header checksum.

    For FW Monitor:

    • Refer to the table above
    -vv -D

    For TCPdump:

    • Produces even more verbose output.
      For example, additional fields are printed
      from NFS reply packets, and SMB packets
      are fully decoded.

    For FW Monitor:

    • Refer to the table above
    -vvv -D

    For TCPdump:

    • Produces even more verbose output.
      For example, telnet SB ... SE options
      are printed in full. With "-X", Telnet options
      are printed in Hex as well.

    For FW Monitor:

    • Refer to the table above

     

    (5-C) FW Monitor Syntax and Usage - Using the UUID feature

    • Background

      The purpose of the new FW Monitor feature is to use the UUID feature (that was introduced in NG AI family) in order to follow connections passing through the FireWall.

      Following connections through the FireWall is not always a trivial task since in many cases the FireWall modifies information in the original packet. These cases include:

      • NAT, both Static and Dynamic (Hide)
      • Security Servers
      • VPN Encryption

      In Check Point NG AI version, a Universal-Unique-IDentifier (UUID) was introduced as the basis for the log unification mechanism. A UUID is given to every new connection passing through the FireWall. This way, all packets that belong to the connection can be identified and can later be unified on Security Management Server.

      This new infrastructure has given us the ability to enhance the "FW Monitor" utility. The FW Monitor utility is a tcpdump/snoop-like tool that allows us to monitor packets as they pass through the FireWall. The FW Monitor module registers itself as the first and the last module on the chain, allowing us to see any modifications done by the FireWall on the original packet. With the addition of the UUID field to the FW Monitor, entire connections can be monitored as they pass through the FireWall.

    • The UUID feature

      The original UUID is an array, composed of 4 unsigned 32-bit integers, in which only the first two integers are relevant:
      UUID[0] is a timestamp.
      UUID[1] is a counter used whenever UUID[0] is not unique.
      UUID[2] is the IP address of the local firewall (constant)
      UUID[3] is a process number (currently a constant that can be ignored).

      The UUID feature can be activated with one of the following switches:

      • -u = displays the UUID
      • -s = displays the session UUID, meaning, display a single (parent) UUID of complex connections involving data/control connections (such as FTP, H.323, etc.)

      Since we are pressed for space in the header fields of the captured packet, the original UUID has been manipulated to be 1 unsigned long 32-bit integer. It is currently composed of the 2 least significant bytes of UUID[1] (16 bits) attached to the 2 least significant bytes of UUID[0] (16 bits). This gives us the following amount of unique IDs:

      • 216 IDs per second
      • 216 seconds

      This UUID is then placed in the last four bytes of the Ethernet MAC Source header field.

      The new Ethernet header MAC fields are now:

      • 2 bytes - i/I/o/O
      • 6 bytes - Interface Name
      • 4 bytes - UUID

      In addition, it is possible to redirect the FW Monitor output to an ASCII file instead of saving it in a tcpdump/snoop format. If this is the case, the 32-bit manipulated UUID is displayed as the first field of each line followed by the entire UUID array.

    • Filtering

      When viewing the captured file, it is now possible to view the connection by filtering the file by the UUID. This is done by first opening the captured file, finding a packet that belongs to the connection, and getting the last four bytes of the Source MAC address. Then, convert these four bytes to Decimal format and filter the captured file as follows:

      # tcpdump -r <captured_file_name> -e -v -xx "ether[8:4] = 0xHHHH"

      # snoop -i <captured_file_name> -v -x0 "ether[8:4] = 0xHHHH"

      where HHHH is the decimal equivalent of the last four bytes of the Source MAC address.

    • Debugging

      The UUID feature can be debugged by collecting the "fw ctl debug -m fw + chain conn" debug.

      Note: The 'filter' flag may also provide some information, but also produces many irrelevant printouts.
    • Notes

      • The UUID of the first packet of every new connection before the VM is always 0.
      • The UUID on encrypted packets is also 0.
      • When running the UUID feature and redirecting the output to a captured file, only the first 6 bytes of the interface name will be displayed.
      • The compressed UUID can be similar if taken on two different machines (since the IP address portion of the original UUID was not taken into consideration). In addition, it can also be similar if taken days apart (since the counter portion of the compressed UUID will repeat every 18 hours).

     

    (6) SecureClient Syntax

    • SecurRemote and SecureClient R56 / R60 uses an abridged version of FW Monitor - called srfw monitor:

      %SRDIR%\bin\srfw monitor [-d] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i | I | o | O] [-x offset[,length]] [-o <output_file_name>]

      Refer to SecureClient R56 for Mac OS X Release Notes (Mac OS X 10.3, Mac OS X 10.4) and to Debugging SecuRemote/SecureClient.

    • Starting in E75.30, SecurRemote and SecureClient uses command line packet monitoring utility (PacketMon.exe) - called packetmon:

      packetmon [-d] [-h] [-t] [-T] [-i] [-I] [-r] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i | I | o | O] [-x offset[,length]] [-o <output_file_name>] [-ci count] [-co count]

      Refer to Remote Access Clients for Windows 32/64-bit Administration Guide (E75.30, E80.41, E80.50) - Chapter 'Monitoring and Troubleshooting' - Troubleshooting the Firewall - Desktop Firewall Monitoring.

     

    (7) Capture Examples of "-e" flag

    Refer to $FWDIR/lib/fwmonitor.def file for useful macro definitions.

    Refer to "How to use FW Monitor" document - 'Logical and Relational Operators' section.

    Note: From version R80.20 Jumbo Jotfix Accumulator take_73, the "-e" flag is not supported for Accelerated traffic.

     

    (7-A) Capture Examples - Usual Capture

    Capture everything, save the data into the file:

    [Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap

     

    (7-B) Capture Examples - Host Specific Capture

    To specify a host, you can use the following expression:

    • Either use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to both Source IP address and Destination IP address

    • Or use specific Source IP address "src=<IP_Address_in_Doted_Decimal_format>" and specific Destination IP address "dst=<IP_Address_in_Doted_Decimal_format>"

    Examples:

    • Capture everything between host X and host Y:

      [Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
    • Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:

      [Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap
    • Capture everything to/from host X or to/from host Y or to/from host Z:

      [Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(y.y.y.y) or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z or dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap

     

    (7-C) Capture Examples - Port Specific Capture

    Note: Port number in the syntax has to be provided in Decimal format. Refer to /etc/services file on the machine, or to http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

    To specify a port, you can use the following expression:

    • Either use "port(<IANA_Port_Number>)", which applies to both Source Port and Destination Port

    • Or use specific Source Port "sport=<IANA_Port_Number>" and specific Destination Port "dport=<IANA_Port_Number>"

    • In addition:

      • For specific TCP port, you can use "tcpport(<IANA_Port_Number>)", which applies to both Source TCP Port and Destination TCP Port
      • For specific UDP port, you can use "udpport(<IANA_Port_Number>)", which applies to both Source UDP Port and Destination UDP Port

    Examples:

    • Capture everything to/from port X:

      [Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "(sport=x or dport=x), accept;" -o /var/log/fw_mon.cap
    • Capture everything except port X:

      [Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "not (sport=x or dport=x), accept;" -o /var/log/fw_mon.cap
    • Capture everything except SSH:

      [Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "not (sport=22 or dport=22), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "not tcpport(22), accept;" -o /var/log/fw_mon.cap
    • Capture everything to/from host X except SSH:

      [Expert@HostName]# fw monitor -e "(host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) and (not (sport=22 or dport=22))), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "(host(x.x.x.x) and not tcpport(22)), accept;" -o /var/log/fw_mon.cap
    • Capture everything except NTP:

      [Expert@HostName]# fw monitor -e "not udpport(123), accept;" -o /var/log/fw_mon.cap

     

    (7-D) Capture Examples - Protocol Specific Capture

    Note: Protocol number in the expression has to be provided in Decimal format. Refer to /etc/protocols file on the machine, or to http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

    To specify a protocol, you can use the following expression:

    • Either use "ip_p=<IANA_Protocol_Number>"

      Examples:

      • To specify TCP protocol with byte offset, use "ip_p=6"
      • To specify UDP protocol with byte offset, use "ip_p=11"
      • To specify ICMP protocol with byte offset, use "ip_p=1"
    • Or use "accept [9:1]=<IANA_Protocol_Number>"

      (This byte offset syntax is described in the "Capture Examples - Bytes Specific Capture" section)

      Examples:

      • To specify TCP protocol with byte offset, use "accept [9:1]=6"
      • To specify UDP protocol with byte offset, use "accept [9:1]=11"
      • To specify ICMP protocol with byte offset, use "accept [9:1]=1"
    • In addition, you can explicitly use the following expressions to specify protocols:

      Which protocol
      to specify
      On which port(s)
      traffic will
      be captured
      Expression
      TCP --- "tcp, accept;"
      UDP --- "udp, accept;"
      ICMPv4 --- "icmp, accept;"
      or
      "icmp4, accept;"
      ICMPv6 --- "icmp6, accept;"
      HTTP TCP 80 "http, accept;"
      HTTPS TCP 443 "https, accept;"
      PROXY TCP 8080 "proxy, accept;"
      DNS UDP 53 "dns, accept;"
      IKE UDP 500 "ike, accept;"
      NAT-T UDP 4500 "natt, accept;"
      ESP
      and
      IKE
      IP proto 50
      and
      UDP 500
      "vpn, accept;"
      1. ESP
      2. IPsec over UDP
      3. IKE
      4. NAT-T
      5. CRL
      6. RDP
      7. Tunnel Test
      8. Topology
      9. L2TP
      10. SCV
      11. Multi-Portal
      12. etc.
      This captures all
      VPN-related data.
      1. IP proto 50
      2. UDP 2746
      3. UDP 500
      4. UDP 4500
      5. TCP 18264
      6. UDP 259
      7. UDP 18234
      8. TCP 264
      9. TCP 1701
      10. UDP 18233
      11. TCP 443 + TCP 444
      12. etc.
      "vpnall, accept;"
      Multi-Portal
      connections
      TCP 443
      and
      TCP 444
      "multi, accept;"
      SSH TCP 22 "ssh, accept;"
      FTP TCP 20
      and
      TCP 21
      "ftp, accept;"
      Telnet TCP 23 "telnet, accept;"
      SMTP TCP 25 "smtp, accept;"
      POP3 TCP 110 "pop3, accept;"

    Examples:

    • Capture everything on protocol X:

      [Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap
    • Everything on protocol X and port Z on protocol Y:

      [Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap
    • Capture everything TCP between host X and host Y:

      [Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "tcp, host(x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
      [Expert@HostName]# fw monitor -e "accept [9:1]=6 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"
      [Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

     

    (7-E) Capture Examples - Protocol Options Specific Capture

    Note: Refer to the $FWDIR/lib/tcpip.def file on Security Gateway.

    Protocol Expression Option Description
    IPv4 ip_src = <IPv4_Address>

    Source IPv4 address of the IPv4 packet

    Example: fw monitor -e "ip_src = 192.168.22.33, accept;"
    ip_dst = <IPv4_Address>

    Destination IPv4 address of the IPv4 packet

    Example: fw monitor -e "ip_dst = 192.168.22.33, accept;"
    ip_ttl = <Number>

    Time To Live of the IPv4 packet

    Example: fw monitor -e "ip_ttl = 255, accept;"
    ip_len = <Length_in_Bytes>

    Total Length of the IPv4 packet in bytes

    Example: fw monitor -e "ip_len = 64, accept;"
    ip_tos = <Number>

    TOS field of the IPv4 packet

    Example: fw monitor -e "ip_tos = 0, accept;"
    ip_p = <IANA_Protocol_Number>

    IANA Protocol Number (either in Dec or in Hex) encapsulated in the IPv4 packet

    Example 1 for TCP: fw monitor -e "ip_p = 6, accept;"
    Example 2 for UDP: fw monitor -e "ip_p = 17, accept;"
    Example 3 for UDP: fw monitor -e "ip_p = 0x11, accept;"
    Example 4 for ICMP: fw monitor -e "ip_p = 1, accept;"
    IPv6 ip_src6p = <IPv6_Address>

    Source IPv6 address of the IPv6 packet

    ip_dst6p = <IPv6_Address>

    Destination IPv6 address of the IPv6 packet

    ip_len6 = <Length_in_Bytes>

    Payload Length of the IPv6 packet in bytes

    ip_ttl6 = <Number>

    Hop Limit ("Time To Live") of the IPv6 packet

    ip_p6 = <IANA_Protocol_Number>

    Next Header of the IPv6 packet - encapsulated IANA Protocol Number

    Example: fw monitor -e "ip_p6 = 6, accept;"
    TCP syn

    SYN flag is set in TCP packet

    Example: fw monitor -e "ip_p = 6, syn, accept;"
    ack

    ACK flag is set in TCP packet

    Example: fw monitor -e "ip_p = 6, ack, accept;"
    rst

    RST flag is set in TCP packet

    Example: fw monitor -e "ip_p = 6, rst, accept;"
    fin

    FIN flag is set in TCP packet

    Example: fw monitor -e "ip_p = 6, fin, accept;"
    first

    First packet of TCP connection
    (i.e., SYN flag is set, but ACK flag is not set in TCP packet)

    Example: fw monitor -e "ip_p = 6, first, accept;"
    not_first

    Not the first packet of TCP connection
    (i.e., SYN flag is not set in TCP packet)

    Example: fw monitor -e "ip_p = 6, not_first, accept;"
    established

    Established TCP connection
    (i.e., either ACK flag is set, or SYN flag is not set in TCP packet)

    Example: fw monitor -e "ip_p = 6, established, accept;"
    last

    Last packet of TCP connection
    (i.e., both ACK flag and FIN flag are set in TCP packet)

    Example: fw monitor -e "ip_p = 6, last, accept;"
    tcpdone

    End of TCP connection
    (i.e., either RST flag is set, or FIN flag is set in TCP packet)

    Example: fw monitor -e "ip_p = 6, tcpdone, accept;"
    th_flags = <Sum_of_Flags_Hex_Values>

    General way to match the flags inside in TCP packets:

    Syntax Explanation Example
    th_flags = 0x2 SYN flag is set in TCP packet fw monitor -e "th_flags = 0x2, accept;"
    th_flags = 0x10 ACK flag is set in TCP packet fw monitor -e "th_flags = 0x10, accept;"
    th_flags = 0x8 PSH flag is set in TCP packet fw monitor -e "th_flags = 0x8, accept;"
    th_flags = 0x1 FIN flag is set in TCP packet fw monitor -e "th_flags = 0x1, accept;"
    th_flags = 0x4 RST flag is set in TCP packet fw monitor -e "th_flags = 0x4, accept;"
    th_flags = 0x20 URG flag is set in TCP packet fw monitor -e "th_flags = 0x20, accept;"
    th_flags = 0x12 SYN flag (0x2) and ACK flag (0x10) are set in TCP packet fw monitor -e "th_flags = 0x12, accept;"
    th_flags = 0x18 PSH flag (0x8) and ACK flag (0x10) are set in TCP packet fw monitor -e "th_flags = 0x18, accept;"
    th_flags = 0x11 FIN flag (0x1) and ACK flag (0x10) are set in TCP packet fw monitor -e "th_flags = 0x11, accept;"
    th_flags = 0x14 RST flag (0x4) and ACK flag (0x10) are set in TCP packet fw monitor -e "th_flags = 0x14, accept;"
    th_sport = <Port_Number>

    TCP source port (refer to IANA Port Number Registry)

    Example: fw monitor -e "th_sport = 59259, accept;"
    th_dport = <Port_Number>

    TCP destination port (refer to IANA Port Number Registry)

    Example: fw monitor -e "th_dport = 22, accept;"
    th_seq = <Number>

    TCP sequence number (either in Dec or in Hex)

    Example 1: fw monitor -e "th_seq = 3937833514, accept;"
    Example 2: fw monitor -e "th_seq = 0xeab6922a, accept;"
    th_ack = <Number>

    TCP acknowledged number (either in Dec or in Hex)

    Example 1: fw monitor -e "th_ack = 509054325, accept;"
    Example 2: fw monitor -e "th_ack = 0x1e578d75, accept;"
    UDP uh_sport = <Port_Number>

    UDP source port (refer to IANA Port Number Registry)

    Example: fw monitor -e "uh_sport = 8116, accept;"
    uh_dport = <Port_Number>

    UDP destination port (refer to IANA Port Number Registry)

    Example: fw monitor -e "uh_dport = 53, accept;"
    ICMPv4 icmp_type = <Number>

    ICMPv4 packets with specified Type

    Example: fw monitor -e "icmp_type = 0, accept;"
    icmp_code = <Number>

    ICMPv4 packets with specified Code

    Example: fw monitor -e "icmp_code = 0, accept;"
    icmp_id = <Number>

    ICMPv4 packets with specified Identifier

    Example: fw monitor -e "icmp_id = 20583, accept;"
    icmp_seq = <Number>

    ICMPv4 packets with specified Sequence number

    Example: fw monitor -e "icmp_seq = 1, accept;"
    echo_req

    ICMPv4 Echo Request packets (Type 8, Code 0)

    Example: fw monitor -e "echo_req, accept;"
    echo_reply

    ICMPv4 Echo Reply packets (Type 0, Code 0)

    Example: fw monitor -e "echo_reply, accept;"
    ping

    ICMPv4 Echo Request and ICMPv4 Echo Reply packets

    Example: fw monitor -e "ping, accept;"
    traceroute

    Traceroute packets as implemented in Unix OS (UDP packets on ports above 30000 and with TTL<30; or ICMP Time exceeded packets)

    Example: fw monitor -e "traceroute, accept;"
    tracert

    Traceroute packets as implemented in Windows OS (ICMP Request packets with TTL<30; or ICMP Time exceeded packets)

    Example: fw monitor -e "tracert, accept;"
    icmp_ip_len = <length>

    Length of ICMPv4 packets

    Example: fw monitor -e "icmp_ip_len = 84, accept;"
    ICMPv6 icmp6_type = <Number>

    ICMPv6 packets with specified Type

    Example: fw monitor -e "icmp6_type = 1, accept;"
    icmp6_code = <Number>

    ICMPv6 packets with specified Code

    Example: fw monitor -e "icmp6_code = 3, accept;"

     

    (7-F) Capture Examples - Bytes Specific Capture

    Simple checks are used to check for a value at a specific offset in the packet:

    [Expert@HostName]# fw monitor -e "accept [ offset : length , order ] relational-operator value;"

    Field Explanation
    offset Specifies the offset relative to the beginning of the IP packet from where the value should be read.
    length Specifies the number of bytes:
    • 1 = byte
    • 2 = word
    • 4 = dword
    If length is not specified, FW Monitor assumes 4 (dword).
    order Specifies the byte order:
    • b = big endian, or network order
    • l = little endian, or host order
    If order is not specified, FW Monitor assumes little endian byte order.
    relational-operator

    Relational operator to express the relation between the packet data and the value:

    < less than
    > greater than
    <= less than or equal to
    >= greater than
    = equal to
    is
    != not equal to
    is not
    value One of the data types known to INSPECT (e.g., an IP address, or an integer).

     

    The IP-based protocols are stored in the IP packet as a byte at offset 9:

    • To filter based on a Protocol encapsulated into IP, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [9:1]=<IANA_Protocol_Number>;"

    The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address):

    • To filter based on a Source IP address, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [12:4,b]=<IP_Address_in_Doted_Decimal_format>;"
    • To filter based on a Destination IP address, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [16:4,b]=<IP_Address_in_Doted_Decimal_format>;"

    The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port):

    • To filter based on a Source port, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [20:2,b]=<Port_Number_in_Decimal_format>;"
    • To filter based on a Destination port, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [22:2,b]=<Port_Number_in_Decimal_format>;"

     

    Examples:

    • Capture everything between host X and host Y:

      [Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));"
    • Capture everything on port X:

      [Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap

     

    (7-G) Capture Examples - Network Specific Capture

    To capture traffic to/from a network, you need to specify the network address and length of network mask (number of bits).

    There are 3 options:

    Traffic direction Expression
    To or From a network "net(<Network_IP_Address>, <Mask_Length>), accept;"
    To a network "to_net(<Network_IP_Address>, <Mask_Length>), accept;"
    From a network "from_net(<Network_IP_Address>, <Mask_Length>), accept;"

    Examples:

    • Capture everything to/from network 192.168.33.0 / 24:

      [Expert@HostName]# fw monitor -e "net(192.168.33.0, 24), accept;"
    • Capture everything sent to network 192.168.33.0 / 24:

      [Expert@HostName]# fw monitor -e "to_net(192.168.33.0, 24), accept;"
    • Capture everything sent from network 192.168.33.0 / 24:

      [Expert@HostName]# fw monitor -e "from_net(192.168.33.0, 24), accept;"

     

    (7-H) Capture Examples - Some Examples

    • Capture ESP protocol or UDP port 161 (SNMP):

      [Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
    • Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP):

      [Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
    • Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs):

      [Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
    • Capture Edge communication between 10.10.10.10, or 20.20.20.20, or 30.30.30.30 and on UDP ports 9281, or 9282, or 9283:

      [Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap

     

    (8) Capture Examples of "-F" flag

    (8-A) Usual Capture

    Capture everything, you can use the following expression:

    -F "0,0,0,0,0"

     

    (8-B) Host Specific Capture

    To specify a host, you can use the following expression:

    -F "x.x.x.x,0,y.y.y.y,0,0"

    This will filter connection with source ip x.x.x.x and destination ip: y.y.y.y.

    Protocol number and ports number can be any value.

    Note: This means the filter will only catch one direction of the connection, so set a second (set of) filter to catch the other direction.

    Examples:

      • fw monitor -F "x.x.x.x,0,y.y.y.y,0,0"

        This will filter connection "x.x.x.x:<Any> --> y.y.y.y:<Any>, <protocol: Any>"
        Source ip: x.x.x.x, source port: any, destination ip: y.y.y.y, destination port: any, protocol: any.


    • fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -F "y.y.y.y,0, x.x.x.x ,0,0"

      This will filter connection "x.x.x.x:<Any> --> y.y.y.y:<Any>, <protocol: Any>" or connection " y.y.y.y:<Any> --> x.x.x.x:<Any>, <protocol: Any>"
      Filter 1: source ip: x.x.x.x, source port: any, destination ip: y.y.y.y, destination port: any, protocol: any.
      Filter 2: source ip: y.y.y.y, source port: any, destination ip: x.x.x.x, destination port: any, protocol: any.

     

    (8-C) Port Specific Capture

    To specify ports numbers, you can use the following expression:

    -F "0,x,0,y,0"

    This will filter connection with source port x and destination port y. Protocol number and ip's can be any value.

    Examples:

      • fw monitor -F "0,x,0,y,0"

        This will filter connection "<Any>:x --><Any>:y, <protocol: Any>"
        Source ip: any, source port: x, destination ip: any, destination port: y, protocol: any.


    • fw monitor -F "x.x.x.x,z,y.y.y.y,0,0" -F "y.y.y.y,0, x.x.x.x ,z ,0"

      This will filter connection "x.x.x.x:z --> y.y.y.y:<Any>, <protocol: Any>" or connection " y.y.y.y:<Any> --> x.x.x.x:z, <protocol: Any>"
      Filter 1: source ip: x.x.x.x, source port: z, destination ip: y.y.y.y, destination port: any, protocol: any.
      Filter 2: source ip: y.y.y.y, source port: any, destination ip: x.x.x.x, destination port: z, protocol: any.

    (8-D) Protocol Specific Capture

    To specify a protocol number, you can use the following expression:

    -F "0,0,0,0,x"

    This will filter connection with protocol number x.
    Port number and ip's can be any value.

    Examples:

      • fw monitor -F "0,0,0,0,x"

        This will filter connection "<Any>:<Any> --> <Any>:<Any>, <protocol: x>"
        Source ip: any, source port: any, destination ip: any, destination port: any, protocol: x.


    • fw monitor -F "x.x.x.x,0,y.y.y.y,z,m" -F "y.y.y.y,z, x.x.x.x ,0,m"

      This will filter connection "x.x.x.x:<Any> --> y.y.y.y:z, <protocol: m>" or connection " y.y.y.y:z --> x.x.x.x:<Any>, <protocol: m>"
      Filter 1: source ip: x.x.x.x, source port: any, destination ip: y.y.y.y, destination port: z, protocol: m.
      Filter 2: source ip: y.y.y.y, source port: z, destination ip: x.x.x.x, destination port: any, protocol: m.

     

    1. Detailed information regarding the usage of the fw monitor command can be found in the "How to use FW Monitor" document.

      Notes:

      • This document applies to Security Gateways of all existing Check Point versions, regardless of operating system.
      • Ignore the outdated links provided in the document in the "Secure Knowledge Links" section.
    2. $FWDIR/lib/tcpip.def file on Security Gateway

    3. $FWDIR/lib/fwmonitor.def file on Security Gateway

     

    Applies To:
    • This solution replaces: 10022.0.1862922.2481845 , sk1062 , 10022.0.1862930.2481845 , sk3474 , 10022.0.2594497.2500363 , skI4444 , 55.0.12289645.2846374 , 55.0.12289624.2846374 , sk41045, skI5125

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment