FW MONITOR

Purpose:
Many people have had some experience in running basic fw monitor commands but the
purpose of this cheat sheet type document is to familiarize the reader with the more
complex commands and configurations for fw monitor. Knowing how to use fw monitor
well will negate the need for ever using snoop or tcpdump.
Why fw monitor?
The fw monitor utility is similar to snoop and tcpdump in being able to capture and
display packet information. Unlike snoop or tcpdump, fw monitor is always available on
FW-1, can show all interfaces at once and can have insertion points between different
Check Point modules. The fw monitor commands are the same on every platform.
Fw monitor syntax:
There are many options for the fw monitor command and these can be seen by typing fw
monitor h on the command line;

Figure 1
fw monitor -h
Usage: fw monitor [- u|s] [-i] [-d] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-x
offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a ]> [-ci count] [co count]
Each option is fully explained in the Check Point document How to use fw monitor.
Brief option description;
-u|s, is used to show the uuid which is the same number during the entire connection
-i, is used to make sure that all info is written to standard output immediately
-d|D, is used to put fw monitor in debug or more Debug modes
-e, is used for the user defined expressions
-f, for the filter file
-l, is used to limit the packet length captured
-m, is a mask of interface such as the default mask of iIoO
-x, prints the packet data to the screen
-o, output file

-p[x] pos, is used to set the insertion point of the monitor

-p all, places insertion points between each module
-ci count, is used to break out of fw monitor after <count> incoming packets
-co count, is used to break out of fw monitor after <count> outgoing packets
Reading the output:
El59x1:i[48]: 10.10.10.20 -> 192.168.10.95 (TCP) len=48 id=944
Destination IP
source IP
insert position
i = prein
I = postin
o = preout
O = postout
interface ID
TCP: 1034 -> 21 .S.... seq=78caaa74 ack=00000000
flags S = SYN
destination port
source port
protocol
Diagram 1
Filter expressions;
A great reference for filter expressions is the tcpip.def file located at $FWDIR/lib.
In this document we will just describe a few and how they work.
#define ip_tos [ 1 : 1]
#define ip_len [ 2 : 2, b]
#define ip_id [ 4 : 2, b]
#define ip_off [ 6 : 2, b]
#define ip_ttl [ 8 : 1]
#define ip_p [ 9 : 1]
#define ip_sum [ 10 : 2, b]
#define ip_src [ 12 , b]
#define ip_dst [ 16 , b]
#define PROTO_icmp
1
#ifdef IPV6_ENABLED
#define PROTO_icmp6 58
#endif

#define PROTO_tcp 6
#define PROTO_udp 17

This sample of the tcpip.def file shows how the macros used in the firewall are defined.
For example ip_src is [ 12, b]. This means that at offset 12 bytes data is read in big endian
to gain the source ip address.
ip_len is defined as [ 2 :2, b]. This means that at offset 2 bytes, a 2 byte length is read in
big endian to determine the ip length field.
These expressions can be used in an fw monitor command to filter on whatever is needed.
For example to capture packets to and from one ip address of interest we could use,
fw monitor e accept [12, b]=192.168.126.1 or [16, b]=192.168.126.1;
OR you could use the macro definition
fw monitor e accept src=10.110.8.166 or dst=10.110.8.166;
Using the macro definitions is usually easier to remember.
In this doc we will use the macros in the tcpip.def file.
Syntax Examples (cheat sheet);
Basic capture of everything on all interfaces,
fw monitor
To filter on an ip of interest,
-e accept src=192.168.126.1;
This will show just source address matching src.
-e accept src=192.168.126.1 or dst=192.168.126.1;
This will show both source and destination matching src or dst and is an example of the
Or operator in use.
To filter on a particular protocol of interest,
-e accept ip_p=6;
This will show TCP packets only.
-e accept ip_p=17;
This will show UDP packets only.
-e accept ip_p=6 or ip_p=50;
This will show TCP and ESP protocols
Making a slightly more complex expression we will use ip address and protocol type as
an example.
-e accept ip_p=6 and src=192.168.126.1;

This is an example of the And operator in use. If we used ping to test 192.168.126.1 the
fw monitor would not show these packets, but if we used ftp to connect to 192.168.126.1
then all packets with a source of 192.168.126.1 would be shown.
To filter on an packet length
-e accept ip_len=60;
This will show all packets with the IP header and Data length of 60 bytes.
A standard Windows ping is 60 bytes total. This is found by adding the IP header of 20
bytes to the 8 bytes ICMP header and 32 bytes of ICMP data.
If we were trying to filter only packets larger or smaller than a certain size we could use;
-e accept ip_len>512;
This will show ip packets larger than 512 bytes.
-e accept ip_len <512;
This will show packets smaller than 512 bytes.
-e accept ip_len > 60 and ip_len<70;
This will show packets between 61 and 69 bytes long.
Note that ip_len is defined as the IP header and Data.
To filter on a source port or destination port
-e accept sport=21;
This will show packets from port 21.
-e accept dport=21;
This will show destination port 21
-e accept sport=21 or dport=21;
This will show source or destination port 21.
Note; that the definitions for sport, th_sport, and uh_sport are all the same [20: 2, b]. The
same is true for dport, th_dport and uh_dport [22: 2, b]. This means a filter as set above
will show port 21 even if it is a UDP port. If you wanted to filter only TCP ports you
would have to add expressions.
-e accept ip_p=6 and sport=21 or dport=21;
This would show port 21 and only TCP.
To filter on a port and an IP address
-e accept sport=21 or dport=21 and src=192.168.126.1 or dst=192.168.126.1;
To filter flags or TCP states
The th_flags macro can be used in different ways and can get confusing so here is a brief
explanation. The definitions below show how the macros for the flags are defined. In the
syntax we can use the hexadecimals listed in this manner.
TH_FIN 0x1
TH_SYN 0x2
TH_RST 0x4
TH_PUSH 0x8

TH_ACK 0x10
TH_URG 0x20

-e accept th_flags=0x1;
will only see packets that have only the FIN flag set. If any other flag is set also it will
not show up.
-e accept th_flags=0x11;
This will show packets with FIN and ACK flags set.
As you can see the hex numbers can be added together to reflect the flags you want.
OR we can use the following syntax;
-e accept th_flags & 0x1;
This will show packets with the FIN flag set even if other flags are set. This expression
basically says look for flags AND if FIN is set show it.
-e accept th_flags = fin;
This will show packets with a FIN flag set even if other flags are set since fin is already
defined as seen below in this sample of the tcpip.def file. Any of the below can be used.
syn { th_flags & TH_SYN };
fin { th_flags & TH_FIN };
rst { th_flags & TH_RST };
ack { th_flags & TH_ACK };
first { th_flags & TH_SYN, not (th_flags & TH_ACK) };
established { (th_flags & TH_ACK) or ((th_flags & TH_SYN) = 0) };
not_first { not ( th_flags & TH_SYN ) };
last { th_flags & TH_FIN, th_flags & TH_ACK };
tcpdone { fin or rst };

To filter on ICMP types

-e accept icmp_type=8;
This will show echo requests.
-e accept icmp_type=0;
This will show echo replies.
See the tcpip.def file to see the icmp_type definitions. Here are a couple of examples,
8= echo
0= echo reply
3= unreachable
5= redirect
11= ttl exceeded
To set the mask on filter
-m io
Will show pre-in and pre-out packets
-m IO
Will show post-in and post-out packets
The mask defaults to iIoO and shows all four inspection points. It can be set with the m
option to be whatever you want.

-ci 3

To set the packet capture count

Will show 3 incoming packets and the break out.

-m i ci 4
Will show 4 incoming packets on the pre-in interface.
To print the packet payload use the x option
-x 52, 96
This example would show packet data starting at offset 52 and printing 96 bytes to the
screen. Output to a file gives all data any way so this is usually not needed.
The offset starts with the IP header. I.e. offset of 40 would give the start of data offset of
55 bytes in an http packet. 20 bytes ip header, 20 bytes tcp header.
To set the monitor position in the fw chain
-pi 3 po 2
These are relative positions in the fw chain. The chain can be seen by typing fw ctl chain
on the command line.

Figure 2
To change the insertion point you can use the relative position ie 1,2,3 etc.
Or you can use the alias such as secxl_sync. All details to usage and syntax can be found
in How to use fw monitor.

Figure 3 default insertion points

In using the relative number use the number after the module where you want it inserted,
in other words if relative number 2 is Secxl_sync and you want to insert after this
module then use pi 3. If you use pi 3 it is inserted after relative number 2. If using the
alias then use the alias after where you want it installed. In other words, if you use pi
Secxl_sync then the position will be inserted before Secxl_sync. See Figure 4 below.

Figure 4
NG AI has a new position option p all which inserts at each point in the chain.
To filter packets that are part of a network or a range of ip addresses
-e accept netof src=192.168.10.0;
This will show all packets with an address on network 192.168.10.0

A mask can not be set, it is implied by the address. So if you have subnetted further you
will need a different syntax to capture a range of addresses.
-e internal = {<192.168.10.0, 192.168.10.128>}; accept (192.168.10.0 in internal);
This will show all packets in the internal definition.
Putting it together with more complex expressions;
-e accept not (src=192.168.126.1);
To see all but src above.
-e accept sport=21 and not (src=192.168.126.1);
To see source port 21 but not from 192.168.126.1.
-e accept src=192.168.126.1 or dst=192.168.126.1 and not (sport=22 or dport=22);
To see everything to and from ip except ssh.
-e accept src=192.168.126.1 or dst=192.168.126.1 and not (sport=21 or dport=21)
and not (sport=22 or dport=22);
To show all to an from ip except ssh and ftp.
-ci 200 m iI pi Secxl_sync e accept ip_p=6 and netof src=192.168.10.0 and not
(sport=22 or dport=22);
This will show 200 incoming packets before breaking out, with a mask of iI showing both
pre-in and post-in with the monitor insertion point being before the Secxl_sync module in
the chain. In addition it will only show TCP packets that have an ip address that is part of
192.168.10.0 network but not the ssh protocol.
This may be more complex than is reasonable but it shows what can be done with fw
monitor.
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf

Other options are just to use basic filter to an output file and then use ethereal to read and
filter it. How to use fw monitor has a great ethereal section.
CP_Ethereal: can be downloaded from
http://iii.us.checkpoint.com/support/ts_tools.html

Cmd learned

fw monitor -e "accept (src=212.1.52.68 or

dst=212.1.52.68);"
fw monitor -e 'accept host(172.19.217.2);'
fw monitor -e 'accept ([20:2,b]=443 or [22:2,b]=443), (([12:4,b]=172.19.217.46 ,
[16:4,b]=10.47.10.7) or ([12:4,b]=10.47.10.7 ,[16:4,b]=172.19.217.46));'