FW MONITOR

FW MONITOR

Purpose:Many people have had some experience in running basic fw monitor commands but the purpose of this cheat sheet type document is to familiarize the reader with the more complex commands and configurations for fw monitor. Knowing how to use fw monitor well will negate the need for ever using snoop or tcpdump.

Why fw monitor?The fw monitor utility is similar to snoop and tcpdump in being able to capture and display packet information. Unlike snoop or tcpdump, fw monitor is always available on FW-1, can show all interfaces at once and can have insertion points between different Check Point modules. The fw monitor commands are the same on every platform.Fw monitor syntax:

There are many options for the fw monitor command and these can be seen by typing fw monitor h on the command line;

Figure 1fw monitor -h

Usage: fw monitor [- u|s] [-i] [-d] [-l len] [-m mask] [-x offset[,len]] [-o ] [-ci count] [-co count]Each option is fully explained in the Check Point document How to use fw monitor.Brief option description;-u|s, is used to show the uuid which is the same number during the entire connection

-i, is used to make sure that all info is written to standard output immediately

-d|D, is used to put fw monitor in debug or more Debug modes

-e, is used for the user defined expressions

-f, for the filter file

-l, is used to limit the packet length captured

-m, is a mask of interface such as the default mask of iIoO

-x, prints the packet data to the screen

-o, output file

-p[x] pos, is used to set the insertion point of the monitor

-p all, places insertion points between each module

-ci count, is used to break out of fw monitor after incoming packets

-co count, is used to break out of fw monitor after outgoing packets

Reading the output:El59x1:i[48]: 10.10.10.20 -> 192.168.10.95 (TCP) len=48 id=944

TCP: 1034 -> 21 .S.... seq=78caaa74 ack=00000000

Diagram 1Filter expressions;A great reference for filter expressions is the tcpip.def file located at $FWDIR/lib.

In this document we will just describe a few and how they work.

#define ip_tos [ 1 : 1]

#define ip_len [ 2 : 2, b]

#define ip_id [ 4 : 2, b]

#define ip_off [ 6 : 2, b]

#define ip_ttl [ 8 : 1]

#define ip_p [ 9 : 1]

#define ip_sum [ 10 : 2, b]

#define ip_src [ 12 , b]

#define ip_dst [ 16 , b]

#define PROTO_icmp1

#ifdef IPV6_ENABLED

#define PROTO_icmp6 58

#endif

#define PROTO_tcp6#define PROTO_udp17

This sample of the tcpip.def file shows how the macros used in the firewall are defined.

For example ip_src is [ 12, b]. This means that at offset 12 bytes data is read in big endian to gain the source ip address.

ip_len is defined as [ 2 :2, b]. This means that at offset 2 bytes, a 2 byte length is read in big endian to determine the ip length field.

These expressions can be used in an fw monitor command to filter on whatever is needed.For example to capture packets to and from one ip address of interest we could use,

fw monitor e accept [12, b]=192.168.126.1 or [16, b]=192.168.126.1;

OR you could use the macro definition

fw monitor e accept src=10.110.8.166 or dst=10.110.8.166;

Using the macro definitions is usually easier to remember.

In this doc we will use the macros in the tcpip.def file.

Syntax Examples (cheat sheet);Basic capture of everything on all interfaces,

fw monitor

To filter on an ip of interest,-e accept src=192.168.126.1;

This will show just source address matching src.

-e accept src=192.168.126.1 or dst=192.168.126.1;

This will show both source and destination matching src or dst and is an example of the Or operator in use.

To filter on a particular protocol of interest,

-e accept ip_p=6;This will show TCP packets only.

-e accept ip_p=17;This will show UDP packets only.

-e accept ip_p=6 or ip_p=50;This will show TCP and ESP protocolsMaking a slightly more complex expression we will use ip address and protocol type as an example.-e accept ip_p=6 and src=192.168.126.1;This is an example of the And operator in use. If we used ping to test 192.168.126.1 the fw monitor would not show these packets, but if we used ftp to connect to 192.168.126.1 then all packets with a source of 192.168.126.1 would be shown. To filter on an packet length

-e accept ip_len=60;This will show all packets with the IP header and Data length of 60 bytes.

A standard Windows ping is 60 bytes total. This is found by adding the IP header of 20 bytes to the 8 bytes ICMP header and 32 bytes of ICMP data.If we were trying to filter only packets larger or smaller than a certain size we could use;

-e accept ip_len>512;This will show ip packets larger than 512 bytes.

-e accept ip_len 60 and ip_len