Академический Документы
Профессиональный Документы
Культура Документы
Purpose:
Many people have had some experience in running basic fw monitor commands but the
purpose of this cheat sheet type document is to familiarize the reader with the more
complex commands and configurations for fw monitor. Knowing how to use fw monitor
well will negate the need for ever using snoop or tcpdump.
Why fw monitor?
The fw monitor utility is similar to snoop and tcpdump in being able to capture and
display packet information. Unlike snoop or tcpdump, fw monitor is always available on
FW-1, can show all interfaces at once and can have insertion points between different
Check Point modules. The fw monitor commands are the same on every platform.
Fw monitor syntax:
There are many options for the fw monitor command and these can be seen by typing fw
monitor h on the command line;
Figure 1
fw monitor -h
Usage: fw monitor [- u|s] [-i] [-d] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-x
offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a ]> [-ci count] [co count]
Each option is fully explained in the Check Point document How to use fw monitor.
Brief option description;
-u|s, is used to show the uuid which is the same number during the entire connection
-i, is used to make sure that all info is written to standard output immediately
-d|D, is used to put fw monitor in debug or more Debug modes
-e, is used for the user defined expressions
-f, for the filter file
-l, is used to limit the packet length captured
-m, is a mask of interface such as the default mask of iIoO
-x, prints the packet data to the screen
-o, output file
#define PROTO_tcp 6
#define PROTO_udp 17
This sample of the tcpip.def file shows how the macros used in the firewall are defined.
For example ip_src is [ 12, b]. This means that at offset 12 bytes data is read in big endian
to gain the source ip address.
ip_len is defined as [ 2 :2, b]. This means that at offset 2 bytes, a 2 byte length is read in
big endian to determine the ip length field.
These expressions can be used in an fw monitor command to filter on whatever is needed.
For example to capture packets to and from one ip address of interest we could use,
fw monitor e accept [12, b]=192.168.126.1 or [16, b]=192.168.126.1;
OR you could use the macro definition
fw monitor e accept src=10.110.8.166 or dst=10.110.8.166;
Using the macro definitions is usually easier to remember.
In this doc we will use the macros in the tcpip.def file.
Syntax Examples (cheat sheet);
Basic capture of everything on all interfaces,
fw monitor
To filter on an ip of interest,
-e accept src=192.168.126.1;
This will show just source address matching src.
-e accept src=192.168.126.1 or dst=192.168.126.1;
This will show both source and destination matching src or dst and is an example of the
Or operator in use.
To filter on a particular protocol of interest,
-e accept ip_p=6;
This will show TCP packets only.
-e accept ip_p=17;
This will show UDP packets only.
-e accept ip_p=6 or ip_p=50;
This will show TCP and ESP protocols
Making a slightly more complex expression we will use ip address and protocol type as
an example.
-e accept ip_p=6 and src=192.168.126.1;
This is an example of the And operator in use. If we used ping to test 192.168.126.1 the
fw monitor would not show these packets, but if we used ftp to connect to 192.168.126.1
then all packets with a source of 192.168.126.1 would be shown.
To filter on an packet length
-e accept ip_len=60;
This will show all packets with the IP header and Data length of 60 bytes.
A standard Windows ping is 60 bytes total. This is found by adding the IP header of 20
bytes to the 8 bytes ICMP header and 32 bytes of ICMP data.
If we were trying to filter only packets larger or smaller than a certain size we could use;
-e accept ip_len>512;
This will show ip packets larger than 512 bytes.
-e accept ip_len <512;
This will show packets smaller than 512 bytes.
-e accept ip_len > 60 and ip_len<70;
This will show packets between 61 and 69 bytes long.
Note that ip_len is defined as the IP header and Data.
To filter on a source port or destination port
-e accept sport=21;
This will show packets from port 21.
-e accept dport=21;
This will show destination port 21
-e accept sport=21 or dport=21;
This will show source or destination port 21.
Note; that the definitions for sport, th_sport, and uh_sport are all the same [20: 2, b]. The
same is true for dport, th_dport and uh_dport [22: 2, b]. This means a filter as set above
will show port 21 even if it is a UDP port. If you wanted to filter only TCP ports you
would have to add expressions.
-e accept ip_p=6 and sport=21 or dport=21;
This would show port 21 and only TCP.
To filter on a port and an IP address
-e accept sport=21 or dport=21 and src=192.168.126.1 or dst=192.168.126.1;
To filter flags or TCP states
The th_flags macro can be used in different ways and can get confusing so here is a brief
explanation. The definitions below show how the macros for the flags are defined. In the
syntax we can use the hexadecimals listed in this manner.
TH_FIN 0x1
TH_SYN 0x2
TH_RST 0x4
TH_PUSH 0x8
TH_ACK 0x10
TH_URG 0x20
-e accept th_flags=0x1;
will only see packets that have only the FIN flag set. If any other flag is set also it will
not show up.
-e accept th_flags=0x11;
This will show packets with FIN and ACK flags set.
As you can see the hex numbers can be added together to reflect the flags you want.
OR we can use the following syntax;
-e accept th_flags & 0x1;
This will show packets with the FIN flag set even if other flags are set. This expression
basically says look for flags AND if FIN is set show it.
-e accept th_flags = fin;
This will show packets with a FIN flag set even if other flags are set since fin is already
defined as seen below in this sample of the tcpip.def file. Any of the below can be used.
syn { th_flags & TH_SYN };
fin { th_flags & TH_FIN };
rst { th_flags & TH_RST };
ack { th_flags & TH_ACK };
first { th_flags & TH_SYN, not (th_flags & TH_ACK) };
established { (th_flags & TH_ACK) or ((th_flags & TH_SYN) = 0) };
not_first { not ( th_flags & TH_SYN ) };
last { th_flags & TH_FIN, th_flags & TH_ACK };
tcpdone { fin or rst };
-ci 3
Figure 2
To change the insertion point you can use the relative position ie 1,2,3 etc.
Or you can use the alias such as secxl_sync. All details to usage and syntax can be found
in How to use fw monitor.
Figure 4
NG AI has a new position option p all which inserts at each point in the chain.
To filter packets that are part of a network or a range of ip addresses
-e accept netof src=192.168.10.0;
This will show all packets with an address on network 192.168.10.0
A mask can not be set, it is implied by the address. So if you have subnetted further you
will need a different syntax to capture a range of addresses.
-e internal = {<192.168.10.0, 192.168.10.128>}; accept (192.168.10.0 in internal);
This will show all packets in the internal definition.
Putting it together with more complex expressions;
-e accept not (src=192.168.126.1);
To see all but src above.
-e accept sport=21 and not (src=192.168.126.1);
To see source port 21 but not from 192.168.126.1.
-e accept src=192.168.126.1 or dst=192.168.126.1 and not (sport=22 or dport=22);
To see everything to and from ip except ssh.
-e accept src=192.168.126.1 or dst=192.168.126.1 and not (sport=21 or dport=21)
and not (sport=22 or dport=22);
To show all to an from ip except ssh and ftp.
-ci 200 m iI pi Secxl_sync e accept ip_p=6 and netof src=192.168.10.0 and not
(sport=22 or dport=22);
This will show 200 incoming packets before breaking out, with a mask of iI showing both
pre-in and post-in with the monitor insertion point being before the Secxl_sync module in
the chain. In addition it will only show TCP packets that have an ip address that is part of
192.168.10.0 network but not the ssh protocol.
This may be more complex than is reasonable but it shows what can be done with fw
monitor.
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf
Other options are just to use basic filter to an output file and then use ethereal to read and
filter it. How to use fw monitor has a great ethereal section.
CP_Ethereal: can be downloaded from
http://iii.us.checkpoint.com/support/ts_tools.html
Cmd learned