How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet
As of version 0.10.0, the Wireshark application is able to view Check Point FireWall chains in an FW Monitor packet capture in the same way CPEthereal application can.
Note: The CPEthereal application is no longer developed. Check Point recommends using the latest version of the Wireshark application to analyze FW Monitor packet captures.
Do the following to configure the Wireshark application to display the Check Point FireWall chains:
- Close all instances of Wireshark.
- Open Wireshark - go to '
Edit' menu - click on '
- Go to '
Protocols' - click on '
Ethernet' - check the box '
Attempt to interpret as FireWall-1 Monitor File' - click '
- Go to '
Appearance' (in v2.x) / '
User Interface' (in v1.x) - click on '
Columns' - click on '
+' / '
Add' button - a new line is added at the bottom of the list:
- double-click on the title '
New Column' - assign a name (e.g., FW-1)
- double-click on type '
Numbers' - choose '
FW-1 monitor if/direction'
- Left-click and hold this new line - drag the line to the desired position (recommended position is between '
Destination' and '
- Click '
Apply' and click '
- Close Wireshark.
The following filters can be used in Wireshark:
((fw1.interface == "eth1") and (fw1.direction == "i") and (fw1.chain == "1"))
Imported from Nokia support database