Print Download PDF Send Feedback

Previous

Next

fw monitor

Description Inspecting network traffic is an essential part of troubleshooting network deployments. fw monitor is a powerful built-in tool to simplify the task of capturing network packets at multiple capture points within the firewall chain. These packets can be inspected using industry-standard tools later on.

In many deployment and support scenarios capturing network packets is an essential functionality. tcpdump or snoop are tools normally used for this task. fw monitor provides an even better functionality but omits many requirements and risks of these tools.

Normally the Check Point kernel modules are used to perform several functions on packets (like filtering, encrypting and decrypting, QoS …). fw monitor adds its own modules to capture packets. Therefore fw monitor can capture all packets which are seen and/or forwarded by the Firewall.

See SecureKnowledge solution sk30583.

Only one instance of fw monitor can be run at a time.

Use ^C (that is Control + C) to stop fw monitor from capturing packets.

Syntax

> fw monitor [-u|s] [-i] [-d] [-D] [{-e <expr>|{-f <filter-file>|-}}] [-l <len>] [-m <mask>]
[-x <offset>[,<len>]] [-o <file>] [[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO <pos>] | -p all]] [-a]
[-ci <count>] [-co <count>] [-h] -T

Parameter

Description

-u|s

Printing the UUID or the SUUID: The option –u or –s is used to print UUIDs or SUUIDs for every packet. Please note that it is only possible to print the UUID or the SUUID – not both.

-i

Flushing the standard output: Use to make sure that captured data for each packet is at once written to standard output. This is especially useful if you want to kill a running fw monitor process and want to be sure that all data is written to a file.

[-d] [-D]

Debugging fw monitor: The -d option is used to start fw monitor in debug mode. This will give you an insight into fw monitor's inner workings. This option is only rarely used outside Check Point. It is also possible to use –D to create an even more verbose output.

{-e <expr>|{-f <filter-file>|-}}

Filtering fw monitor packets: fw monitor has the ability to capture only packets in which you are interested. fw monitor filters use a subset of INSPECT to specify the packets to be captured. Set the filter expression:

  • on the command line using the –e switch.
  • by reading it from a file using the -f switch.
  • by reading it from standard input using the -f - switch.

-l <len>

Limiting the packet length: fw monitor lets you limit the packet data which will be read from the kernel with -l. This is especially useful if you have to debug high sensitive communication. It lets you to capture only the headers of a packet (e.g. IP and TCP header) while omitting the actual payload. Therefore you can debug the communication without seeing the actual data transmitted. Another possibility is to keep the amount of data low. If you don't need the actual payload for debugging you can decrease the file site by omitting the payload. It's also very useful to reduce packet loss on high-loaded machines. fw monitor uses a buffer to transfer the packets from kernel to user space. If you reduce the size of a single packet this buffer won't fill up so fast.

-m <mask>

Setting capture masks: By default fw monitor captures packets before and after the virtual machine in both directions. These positions can be changed. This option allows you to specify in which of the four positions you are interested.

-x <offset>[,<len>]

Printing packet/payload data: In addition to the IP and Transport header fw monitor can also print the packets' raw data using the –x option. Optionally it is also possible to send all data that is written only to the screen the data written.

-o <file>

Write output to file: Save the raw packet data to a file in a standard (RFC 1761) format. The file can be examined using by tools like snoop, tcpdump or Ethereal.

Note - The snoop file format is normally used to store Layer 2 frames. For "normal" capture files this means that the frame includes data like a source and a destination MAC address. fw monitor operates in the firewall kernel and therefore has no access to Layer 2 information like MAC addresses. Instead of writing random MAC addresses, fw monitor includes information like interface name, direction and chain position as "MAC addresses".

-T

Print time stamp in microseconds. -T is needed only when -o is not used. When -o is used the exact time is written to the snoop file by default as of Corsica.

[[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO <pos>] | -p all]]

Insert fw monitor chain module at a specific position: In addition to capture masks (which give the ability to look at packets in a specific position) fw monitor has the ability to define where exactly in the firewall chain the packets should be captured. This can be defined using these options.

-a

Use absolute chain positions: If you use fw monitor to output the capture into a file (option –o), one of the fields written down to the capture file is the chain position of the fw monitor chain module. Together with a simultaneous execution of fw ctl chain you can determine where the packet was captured. Especially when using –p all you will find the same packet captured multiples times at different chain positions. The option –a changes the chain ID from a relative value (which only makes sense with the matching fw ctl chain output) to an absolute value. These absolute values are known to CPEthereal and can be displayed by it.

[-ci <count>]
[-co <count>]

Capture a specific number of packets: fw monitor enables you to limit the number of packets being captured. This is especially useful in situations where the firewall is filtering high amounts of traffic. In such situations fw monitor may bind so many resources (for writing to the console or to a file) that recognizing the break sequence (Control-C) might take very long.

-h

Displays the usage.

Example The easiest way to use fw monitor is to invoke it without any parameter. This will output every packet from every interface that passes (or at least reaches) the Check Point Security Gateway. The same packet appears several times (two times in the example below). This is caused by fw monitor capturing the packets at different capture points.

Output

cpmodule> fw monitor

 monitor: getting filter (from command line)

 monitor: compiling

monitorfilter:

Compiled OK.

 monitor: loading

 monitor: monitoring (control-C to stop)

eth0:i[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

eth0:I[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

eth0:o[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599

TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83

eth0:O[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599

TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83

eth0:o[1500]: 192.0.2.2 -> 192.0.2.133 (TCP) len=1500 id=44600

TCP

^C

: 18190 -> 1050 ....A. seq=941b0659 ack=bf8bca83

monitor: caught sig 2

 monitor: unloading

The first line of the fw monitor output is

eth0:i[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

This packet was captured on the first network interface (eth0) in inbound direction before the virtual machine (lowercase i). The packet length is 285 bytes (in square parenthesis; repeated at the end of the line. Note that these two values may be different. The packets ID is 1075. The packet was sent from 192.0.2.133 to 192.0.2.2 and carries a TCP header/payload.

The second line of the fw monitor output is

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

The second line tells us that this is a TCP payload inside the IP packet which was sent from port 1050 to port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged sequence number (ack=941b05bc). You will see similar information for UDP packets.

You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or cannot be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing.

fw monitor Filters

Description Use these expressions to help when you are filtering fw monitor.

Syntax > fw monitor -e "accept <expression>;"

Expressions for Protocols

Expression

Description

tcp

TCP

udp

UDP

icmp4

ICMP v4

icmp6

ICMP v6

esp

ESP

Expressions for Services

Expression

Description

http

HTTP (TCP port 80)

https

HTTPS (TCP port 443)

ftp

FTP (TCP port 20 or 21)

ssh

SSH (TCP port 22)

telnet

TELNET (TCP port 23)

smtp

SMTP (TCP Port 25)

pop3

POP3 (TCP port 110)

dns

DNS (TCP / UDP port 53

proxy

HTTP (TCP port 8080)

Expressions for VPN

For more information, see sk52421.

Expression

Description

Check Point Description

ike

IKE (UDP port 500)

 

natt

NAT-T (UDP port 4500)

 

uenc

UDP encapsulation (UDP port 2746)

Check Point SecuRemote IPsec Transport Encapsulation Protocol

rdp

Check Point RDP (UDP port 259)

Proprietary Check Point "Reliable Data Protocol" (does not comply with RDP as specified in RFC 908/RFC 1151)

topo

Check Point Security Gateway SecuRemote Topology Requests (TCP port 264)

Topology Download from Security Gateway (by FWD daemon) to SecuRemote (build 4100 and higher) and SecureClient

l2tp

L2TP (TCP port 1701)

 

test

Check Point Tunnel Testing (UDP port 18234)

Check Point tunnel testing application - Testing ICA through VPN by SecuRemote / SecureClient

Expressions for ICA (Internal Certificate Authority)

For more information, see sk52421.

Expression

Description

Check Point Description

pull

Check Point Internal CA Pull Certificate Service (TCP port 18210)

Pulling certificates by Security Gateway from Security Management Server (by CPCA daemon)

push

Check Point Internal CA Push Certificate Service (TCP port 18211)

Pushing certificates from the Internal Certificate Authority (ICA) on Security Management Server (by CPD daemon) to Security Gateway

crl

Check Point Internal CA Fetch CRL and User Registration Services (TCP port 18264)

Protocol for Certificate Revocation Lists and registering users when using the Policy Server (needed when, e.g., Security Gateway is starting).

See sk35292.

ica

Check Point Internal CA Management Tools (TCP port 18265)
  • Managing the ICA and central administration of Internal Certificate Authority (ICA) on the Security Management Server
  • Needs to be started separately with the Security Management Server and cpca_client

Expressions for Security Management Server

Expression

Description

smc

Port 18190 (SmartConsole)

policy

Port 18191 (Install policy)

amon

Port 18192 (AMON server)

pslog

Port 18231

scv

Port 18233 (Client SCV)

Expressions for Common Tasks

Expression

Description

cpca

Uses these expressions: camgmt, pull, crl, and ica

sic

Uses these expressions: cpca, push, and policy

vpnd

Uses these expressions: ike, natt, uenc, rdp, topo, l2tp, test, pslog and scv

vpn

Uses expressions for standard site to site: esp, and ike

vvpn

Uses expressions for remote access: natt, and https

multi

Uses expressions for multi-portal: https, and port 444

vpnall

Uses expressions for all VPN services: esp, vpnd, crl, and multi

vpn1

Uses expressions for VPN and common test services: vpn, vvpn, ftp, and ping

Expressions to Exclude Background Traffic

Expression

Description

no_term

Uses expressions to exclude remote terminal: not ssh and not telnet

no_mgmt

Uses expressions to exclude Check Point management services: not smc and not policy and not amon

Example: > fwmonitor -e "accept https;"

27 August 2018 © 2018 Check Point Software Technologies Ltd. All rights reserved.