Support Center > Search Results > SecureKnowledge Details
How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet
Solution

As of version 0.10.0, the Wireshark application is able to view Check Point FireWall chains in an FW Monitor packet capture in the same way CPEthereal application can.

Note: The CPEthereal application is no longer developed. Check Point recommends using the latest version of the Wireshark application to analyze FW Monitor packet captures.

Do the following to configure the Wireshark application to display the Check Point FireWall chains:

  1. Close all instances of Wireshark.

  2. Open Wireshark - go to 'Edit' menu - click on 'Preferences...'.

  3. Go to 'Protocols' - click on 'Ethernet' - check the box 'Attempt to interpret as FireWall-1 Monitor File' - click 'Apply'.

  4. Go to 'Appearance' (in v2.x) / 'User Interface' (in v1.x) - click on 'Columns' - click on '+' / 'Add' button - a new line is added at the bottom of the list:

    • double-click on the title 'New Column' - assign a name (e.g., FW-1)

    • double-click on type 'Numbers' - choose 'FW-1 monitor if/direction'
  5. Left-click and hold this new line - drag the line to the desired position (recommended position is between 'Destination' and 'Protocol').

  6. Click 'Apply' and click 'OK'.

  7. Close Wireshark.

 

The following filters can be used in Wireshark:

Field Name Type Description Relation operators Possible values
fw1.chain String Chain Position ==
!=
>
<
>=
<=
contains
matches
Depends on FW Monitor position during traffic capture.

For a complete list of Check Point kernel chains,
refer to the output of the 'fw ctl chain' command.
fw1.direction String Direction ==
!=
>
<
>=
<=
contains
matches
i
I
o
O
fw1.interface String Interface ==
!=
>
<
>=
<=
contains
matches
Interface name as configured in the operating system
and detected by Check Point kernel -
refer to the output of 'fw ctl iflist' command.
fw1.type Unsigned 16-bit integer Type ==
!=
>
<
>=
<=
Always 0x0800 (for IP protocol),
because Check Point FireWall
supports only TCP/IP stack.
fw1.uuid Unsigned 32-bit integer UUID ==
!=
>
<
>=
<=
Note: this field is irrelevant for analysis.



Example:
((fw1.interface == "eth1") and (fw1.direction == "i") and (fw1.chain == "1"))

 


 

Related solutions:

Imported from Nokia support database

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment