How to configure Wireshark to show Check Point FireWall chains in an FW Monitor packet

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk39510
Technical Level
Product	Other
Version	All
OS	Windows
Platform / Model	Intel/PC
Date Created	14-Apr-2009
Last Modified	24-Mar-2022

Solution

As of version 0.10.0, the Wireshark application is able to view Check Point FireWall chains in an FW Monitor packet capture in the same way CPEthereal application can.

Note: The CPEthereal application is no longer developed. Check Point recommends using the latest version of the Wireshark application to analyze FW Monitor packet captures.

Configure the Wireshark application to show the Check Point FireWall chains:

Close all instances of Wireshark.
Open one instance of Wireshark
From the top, click the 'Edit' menu - click 'Preferences...'.
Go to 'Protocols' - click 'Ethernet' - select the box 'Attempt to interpret as FireWall-1 Monitor File' - click 'Apply'.
Go to 'Appearance' (in v2.x) / 'User Interface' (in v1.x) - click 'Columns' - click '+' / 'Add' button - a new line is added at the bottom of the list:
- Double-click the title 'New Column' - assign a name (e.g., FW-1)
- Double-click the type 'Numbers' - choose 'FW-1 monitor if/direction'
Left-click and hold this new line - drag the line to the desired position (recommended position is between the 'Destination' and 'Protocol').
Click 'Apply'.
Click 'OK'.
Close Wireshark.
Open Wireshark.

You can use these filters in Wireshark to analyze the traffic captured with the FW Monitor tool:

Field Name	Type	Description	Relation operators	Possible values
`fw1.chain`	String	Chain Position	`== != > < >= <= contains matches`	Depends on FW Monitor position during traffic capture. For a complete list of Check Point kernel chains, refer to the output of the '`fw ctl chain`' command.
`fw1.direction`	String	Direction	`== != > < >= <= contains matches`	`i I o O`
`fw1.interface`	String	Interface	`== != > < >= <= contains matches`	Interface name as configured in the operating system and detected by Check Point kernel - refer to the output of '`fw ctl iflist`' command.
`fw1.type`	Unsigned 16-bit integer	Type	`== != > < >= <=`	Always `0x0800` (for IP protocol), because Check Point FireWall supports only TCP/IP stack.
`fw1.uuid`	Unsigned 32-bit integer	UUID	`== != > < >= <=`	Note: this field is irrelevant for analysis.

Example:

((fw1.interface == "eth1") and (fw1.direction == "i") and (fw1.chain == "1"))

Important Note:

The ability to show the Inbound and Outbound Chains from the FW Monitor capture is built into Wireshark by its vendor. For any changes in this functionality, submit the relevant request on the Wireshark web site.

For example, the R80.20 version added new chains - Pre-Outbound VPN Encryption "e", Post-Outbound VPN Encryption "E", Pre-Inbound VPN Decryption "d", Post-Inbound VPN Decryption "D", Pre-QoS "q", and Post-QoS "Q". As of March 2022, Wireshark does not show these chains.

Related Solutions:

Imported from Nokia support database

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating