As of version 0.10.0, the Wireshark application is able to view Check Point FireWall chains in an FW Monitor packet capture in the same way CPEthereal application can.
Note: The CPEthereal application is no longer developed. Check Point recommends using the latest version of the Wireshark application to analyze FW Monitor packet captures.
Configure the Wireshark application to show the Check Point FireWall chains:
- Close all instances of Wireshark.
- Open one instance of Wireshark
- From the top, click the '
Edit' menu - click '
- Go to '
Protocols' - click '
Ethernet' - select the box '
Attempt to interpret as FireWall-1 Monitor File' - click '
- Go to '
Appearance' (in v2.x) / '
User Interface' (in v1.x) - click '
Columns' - click '
+' / '
Add' button - a new line is added at the bottom of the list:
- Double-click the title '
New Column' - assign a name (e.g., FW-1)
- Double-click the type '
Numbers' - choose '
FW-1 monitor if/direction'
- Left-click and hold this new line - drag the line to the desired position (recommended position is between the '
Destination' and '
- Click '
- Click '
- Close Wireshark.
- Open Wireshark.
You can use these filters in Wireshark to analyze the traffic captured with the FW Monitor tool:
((fw1.interface == "eth1") and (fw1.direction == "i") and (fw1.chain == "1"))
The ability to show the Inbound and Outbound Chains from the FW Monitor capture is built into Wireshark by its vendor. For any changes in this functionality, submit the relevant request on the Wireshark web site.
For example, the R80.20 version added new chains - Pre-Outbound VPN Encryption "e", Post-Outbound VPN Encryption "E", Pre-Inbound VPN Decryption "d", Post-Inbound VPN Decryption "D", Pre-QoS "q", and Post-QoS "Q". As of March 2022, Wireshark does not show these chains.
Imported from Nokia support database