fw monitor

Description

Firewall Monitor is the Check Point traffic capture tool.

In a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., traffic passes through different inspection points - Chain Modules in the Inbound direction and then in the Outbound direction (see the "fw ctl chain" command.

The FW Monitor tool captures the traffic at each Chain Module in both directions.

You can later analyze the captured traffic with the same FW Monitor tool, or with special tools like Wireshark.

Notes:

Syntax for IPv4

fw monitor {-h | -help}

fw monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter File> | -}] [-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-U] [-v <VSID>] [-x <Offset>[,<Length>] [-w]]

Syntax for IPv6

fw6 monitor {-h | -help}

fw6 monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter File> | -}] [-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-U] [-v <VSID>] [-x <Offset>[,<Length>] [-w]]

Parameters

Parameter

Description

{-h | -help}

Shows the built-in usage.

-d

-D

Runs the command in debug mode and shows some information about how the FW Monitor starts and compiles the specified INSPECT filter:

  • -d

    Simple debug output.

  • -D

    Verbose output.

Note - You can specify both parameters to show more information.

-ci <Number of Inbound Packets>

-co <Number of Outbound Packets>

Specifies how many packets to capture.

The FW Monitor stops the traffic capture if it counted the specified number of packets.

  • -ci

    Specifies the number of inbound packets to count.

  • -co

    Specifies the number of inbound packets to count

Best Practice - You can use the "-ci" and the "-co" parameters together. This is especially useful during large volumes of traffic. In such scenarios, FW Monitor may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take a very long time.

-e <INSPECT Expression>

or

-f {<INSPECT Filter File> | -}

Captures only specific packets of non-accelerated traffic:

  • "-e <INSPECT Expression>"

    Defines the INSPECT filter expression on the command line.

  • "-f <INSPECT Filter File>"

    Reads the INSPECT filter expression from the specified file. You must enter the full path and name of the plain-text file that contains the INSPECT filter expression.

  • "-f -"

    Reads the INSPECT filter expression from the standard input. After you enter the INSPECT filter expression, you must enter the ^D (CTRL+D) as the EOF (End Of File) character.

 

Warning - These INSPECT filters do not apply to the accelerated traffic.

Important - Make sure to enclose the INSPECT filter expression correctly in single quotes (ASCII value 39) or double quotes (ASCII value 34).

Notes:

-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"

Specifies the capture filter (for both accelerated and non-accelerated traffic):

 

Notes:

  • See syntax examples below (Examples for the "-F" parameter).

  • The "-F" parameter uses these Kernel Debug Filters.

    For more information, see Kernel Debug Filters.

    • For the Source IP address:

      simple_debug_filter_saddr_<N> "<IP Address>"

    • For the Source Ports:

      simple_debug_filter_sport_<N> <1-65535>

    • For the Destination IP address:

      simple_debug_filter_daddr_<N> "<IP Address>"

    • For the Destination Ports:

      simple_debug_filter_dport_<N> <1-65535>

    • For the Protocol Number:

      simple_debug_filter_proto_<N> <0-254>

  • Value 0 means "any".

  • This parameter supports up to 5 capture filters (up to 5 instances of the "-F" parameter in the syntax).

    The FW Monitor performs the logical "OR" between all specified simple capture filters.

-H

Creates an IP address filter.

For more information, see Kernel Debug Filters.

This parameter supports up to 3 capture filters (up to 3 instances of the "-H" parameter in the syntax).

Example - Capture only HTTP traffic to and from the Host 1.1.1.1:

fw ctl debug –H "1.1.1.1"

-i

Flushes the standard output.

Note - This parameter is valid only with the "-v <VSID>" parameter.

Best Practice - Use this parameter to make sure FW Monitor immediately writes the captured data for each packet to the standard output. This is especially useful if you want to kill a running FW Monitor process, and want to be sure that FW Monitor writes all the data to the specified file.

-l <Length>

Specifies the maximal length of the captured packets. FW Monitor reads only the specified number of bytes from each packet.

Notes:

  • This parameter is optional.

  • With this parameter you can capture only the headers from each packet (for example, IP and TCP) and omit the payload. This decreases the size of the output file. This also helps the internal FW Monitor buffer not to fill too fast.

  • Make sure to capture the minimal required number of bytes, to capture the Layer 3 IP header and Layer 4 Transport header.

-m {i, I, o, O, e, E}

Specifies the capture mask (inspection point) in relation to Chain Modules, in which the FW Monitor captures the traffic.

These are the inspection points, through which each packet passes on a Security Gateway.

  • -m i

    Pre-Inbound only (before the packet enters a Chain Module in the inbound direction)

  • -m I

    Post-Inbound only (after the packet passes a Chain Module in the inbound direction)

  • -m o

    Pre-Outbound only (before the packet enters a Chain Module in the outbound direction)

  • -m O

    Post-Outbound only (after the packet passes through a Chain Module in the outbound direction)

  • -m e

    Pre-Outbound VPN only (before the packet enters a VPN Chain Module in the outbound direction)

  • -m E

    Post-Outbound VPN only (after the packet passes through a VPN Chain Module in the outbound direction)

 

Notes:

  • You can specify several capture masks (for example, to see NAT on the egress packets, enter "... -m o O ...").

  • You can use this capture mask parameter "-m {i, I, o, O, e, E}" together with the chain module position parameter "-p{i | I | o | O}".

  • In the inbound direction:

    • All chain positions before the FireWall Virtual Machine module are Pre-Inbound (the "fw ctl chain" command shows this module as "fw VM inbound").

    • All chain modules after the FireWall Virtual Machine module are Post-Inbound.

  • In the outbound direction:

    • All chain position before the FireWall Virtual Machine module are Pre-Outbound.

    • All chain modules after the FireWall Virtual Machine module are Post-Outbound.

  • By default, the FW Monitor captures the traffic only in the FireWall Virtual Machine module.

  • The packet direction relates to each specific packet, and not to the connection's direction.

  • The letters "q" and "Q" after the inspection point mean that the QoSClosed Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. policy is applied to the interface.

 

Example packet flows:

  • From a Client to a Server through the FireWall Virtual Machine module:

    [Client] --> ("i") {FW VM attached to eth1} ("I") [Security Gateway] ("o") {FW VM attached to eth2} ("O") --> [Server]

  • From a Server to a Client through the FireWall Virtual Machine module:

    [Client] <-- ("O") {FW VM attached to eth1} ("o") [Security Gateway] ("I") {FW VM attached to eth2} ("i") <-- [Server]

-o <Output File>

Specifies the output file, to which FW Monitor writes the captured raw data.

Important - If you do not specify the path explicitly, FW Monitor creates this output file in the current working directory. Because this output file can grow very fast to very large size, we always recommend to specify the full path to the largest partition /var/log/.

The format of this output file is the same format used by tools like snoop (refer to RFC 1761).

You can later analyze the captured traffic with the same FW Monitor tool, or with special tools like Wireshark.

-pi <Position>

-pI <Position>

-po <Position>

-pO <Position>

or

-p all [-a]

Inserts the FW Monitor Chain Module at the specified position between the kernel Chain Modules (see the "fw ctl chain" command).

If the FW Monitor writes the captured data to the specified output file (with the parameter "-o <Output File>"), it also writes the position of the FW Monitor chain module as one of the fields.

You can insert the FW Monitor Chain Module in these positions only:

  • -pi <Position>

    Inserts the FW Monitor Chain Module in the specified Pre-Inbound position.

  • -pI <Position>

    Inserts the FW Monitor Chain Module in the specified Post-Inbound position.

  • -po <Position>

    Inserts the FW Monitor Chain Module in the specified Pre-Outbound position.

  • -pO <Position>

    Inserts the FW Monitor Chain Module in the specified Post-Outbound position

  • -p all [-a]

    Inserts the FW Monitor Chain Module at all positions (both Inbound and Outbound).

    Warning - This parameter causes very high load on the CPU, but provides the most complete traffic capture.

    The "-a" parameter specifies to use absolute chain positions. This parameter changes the chain ID from a relative value (which only makes sense with the matching output from the "fw ctl chain" command) to an absolute value.

 

Notes:

  • <Position> can be one of these:

    • A relative position number

      In the output of the "fw ctl chain" command, refer to the numbers in the leftmost column (for example, 0, 5, 14).

    • A relative position alias

      In the output of the "fw ctl chain" command, refer to the internal chain module names in the rightmost column in the parentheses (for example, sxl_in, fw, cpas).

    • An absolute position

      In the output of the "fw ctl chain" command, refer to the numbers in the second column from the left (for example, -7fffffff, -1fffff8, 7f730000). In the syntax, you must write these numbers in the hexadecimal format (for example, -0x7fffffff, -0x1fffff8, 0x7f730000).

  • You can use this chain module position parameter "-p{i | I| o | O} ..." together with the capture mask parameter "-m {i, I, o, O, e, E}".

  • In the inbound direction:

    • All chain positions before the FireWall Virtual Machine module are Pre-Inbound (the "fw ctl chain" command shows this module as "fw VM inbound").

    • All chain modules after the FireWall Virtual Machine module are Post-Inbound.

  • In the outbound direction:

    • All chain position before the FireWall Virtual Machine module are Pre-Outbound.

    • All chain modules after the FireWall Virtual Machine module are Post-Outbound.

  • By default, the FW Monitor captures the traffic only in the FireWall Virtual Machine module.

  • The chain module position parameters "-p{i | I| o | O} ..." parameters do not apply to the accelerated traffic, which is still monitored at the default inbound and outbound positions.

  • For more information about the inspection points, see the applicable table below.

-T

Shows the timestamp for each packet:

DDMMMYYYY HH:MM:SS.mmmmmm

Best Practice - Use this parameter if you do not save the output to a file, but print it on the screen.

-u

or

-s

Shows UUID for each packet (it is only possible to print either the UUID, or the SUUID - not both):

  • -u

    Prints connection's Universal-Unique-ID (UUID) for each packet

  • -s

    Prints connection's Session UUID (SUUID) for each packet

-U

Removes the simple capture filters specified with this parameter:

-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"

-v <VSID>

On a VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster MemberClosed Security Gateway that is part of a cluster., captures the packets on the specified Virtual System or Virtual Router.

By default, FW Monitor captures the packets on all Virtual Systems and Virtual Routers.

Example:

fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap

-w

Captures the entire packet, instead of only the header.

Must be used together with one of these parameters:

  • -o <Output File>

  • -x <Offset>[,<Length>]

-x <Offset>[,<Length>]

Specifies the position in each packet, where the FW Monitor starts to capture the data from each packet.

Optionally, it is also possible to limit the amount of data the FW Monitor captures.

  • <Offset>

    Specifies how many bytes to skip from the beginning of each packet. FW Monitor starts to capture the data from each packet only after the specified number of bytes.

  • <Length>

    Specifies the maximal length of the captured packets. FW Monitor reads only the specified number of bytes from each packet.

For example, to skip over the IP header and TCP header, enter "-x 52,96"

Inspection points in Security Gateway and in the FW Monitor output

Note - The Inbound and Outbound traffic direction relates to each specific packet, and not to the connection.

  • Inbound

    Name of inspection point

    Relation to the FireWall
    Virtual Machine

    Notion of inspection point
    in the FW Monitor output

    Pre-Inbound

    Before the inbound FireWall VM

    i (for example, eth4:i)

    Post-Inbound

    After the inbound FireWall VM

    I (for example, eth4:I)

    Pre-Inbound VPN

    Inbound before decrypt

    id (for example, eth4:id)

    Post-Inbound VPN

    Inbound after decrypt

    ID (for example, eth4:ID)

    Pre-Inbound QoS

    Inbound before QoS

    iq (for example, eth4:iq)

    Post-Inbound QoS

    Inbound after QoS

    IQ (for example, eth4:IQ)

  • Outbound

    Name of inspection point

    Relation to the FireWall
    Virtual Machine

    Notion of inspection point
    in the FW Monitor output

    Pre-Outbound

    Before the outbound FireWall VM

    o (for example, eth4:o)

    Post-Outbound

    After the outbound FireWall VM

    O (for example, eth4:O)

    Pre-Outbound VPN

    Outbound before encrypt

    e (for example, eth4:e)

    Post-Outbound VPN

    Outbound after encrypt

    E (for example, eth4:E)

    Pre-Outbound QoS

    Outbound before QoS

    oq (for example, eth4:oq)

    Post-Outbound QoS

    Outbound after QoS

    OQ (for example, eth4:OQ)

Generic Examples

[Expert@MyGW:0]# fw monitor
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:I[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31790
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a47
... ... ...
 monitor: caught sig 2
 monitor: unloading
[Expert@MyGW:0]#
 
[Expert@MyGW:0]# fw monitor -T
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] 12Sep2018 19:08:05.453947 eth0:oq[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124 id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.453960 eth0:OQ[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124 id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454059 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252 id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454064 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252 id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454072 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252 id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454074 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252 id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.463165 eth0:iq[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
[vs_0][fw_1] 12Sep2018 19:08:05.463177 eth0:IQ[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
 monitor: unloading
[Expert@MyGW:0]#
 
[Expert@MyGW:0]# fw monitor -m i -ci 3
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31905
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e683b
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31906
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e68ef
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31907
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e69a3
 monitor: unloading
Read 3 inbound packets and 0 outbound packets
[Expert@MyGW:0]#
 
[Expert@MyGW:0]# fw ctl chain
in chain (15):
        0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
        1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
        2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
        3: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
        4: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
        5:         0 (ffffffff8b8506a0) (00000001) fw VM inbound  (fw)
        6:         2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
        7:         4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
        8:         5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
        9:        10 (ffffffff8b842710) (00000001) fw post VM inbound  (post_vm)
        10:    100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
        11:  22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
        12:  7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
        13:  7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
        14:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
        0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
        2: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
        3: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
        4: -     1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
        5:         0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
        6:        10 (ffffffff8b842710) (00000001) fw post VM outbound  (post_vm)
        7:  15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
        8:  21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
        9:  7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
        10:  7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
        11:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
        12:  7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
        13:  7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw monitor -pi 2 -ci 3
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
in chain (17):
        0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
        1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
        2: -7f800001 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
        3: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
        4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
        5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
        6:         0 (ffffffff8b8506a0) (00000001) fw VM inbound  (fw)
        7:         2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
        8:         4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
        9:         5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
        10:        10 (ffffffff8b842710) (00000001) fw post VM inbound  (post_vm)
        11:    100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
        12:  22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
        13:  70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP  side)
        14:  7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
        15:  7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
        16:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
        0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
        2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
        3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
        4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
        5: -     1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
        6:         0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
        7:        10 (ffffffff8b842710) (00000001) fw post VM outbound  (post_vm)
        8:  15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
        9:  21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
        10:  70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
        11:  7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
        12:  7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
        13:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
        14:  7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
        15:  7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228 id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228 id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356 id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356 id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356 id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356 id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412 id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412 id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716 id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716 id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
 monitor: unloading
Read 3 inbound packets and 5 outbound packets
[Expert@MyGW:0]#
 
[Expert@MyGW:0]# fw ctl chain
in chain (17):
        0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
        1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
        2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
        3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
        4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
        5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
        6:         0 (ffffffff8b8506a0) (00000001) fw VM inbound  (fw)
        7:         2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
        8:         4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
        9:         5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
        10:        10 (ffffffff8b842710) (00000001) fw post VM inbound  (post_vm)
        11:    100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
        12:  22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
        13:  70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP  side)
        14:  7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
        15:  7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
        16:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
        0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
        2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
        3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
        4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
        5: -     1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
        6:         0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
        7:        10 (ffffffff8b842710) (00000001) fw post VM outbound  (post_vm)
        8:  15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
        9:  21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
        10:  70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
        11:  7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
        12:  7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
        13:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
        14:  7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
        15:  7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#

Examples for the "-e" parameter

[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap

To specify a host, you can use one of these expressions:

  • Use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to both Source IP address and Destination IP address

  • Use a specific Source IP address "src=<IP_Address_in_Doted_Decimal_format>" and a specific Destination IP address "dst=<IP_Address_in_Doted_Decimal_format>"

Example filters:

  • Capture everything between host X and host Y:

    [Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

  • Capture everything between hosts X,Z and hosts Y,Z in all Firewall kernel chains:

    [Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap

  • Capture everything to/from host X or to/from host Y or to/from host Z:

    [Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(y.y.y.y) or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z or dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap

Note - You must specify port numbers in Decimal format. Refer to the /etc/services file on the Security Gateway, or to IANA Service Name and Port Number Registry.

To specify a port, you can use one of these expressions:

  • Use "port(<IANA_Port_Number>)", which applies to both Source Port and Destination Port

  • Use a specific Source Port "sport=<IANA_Port_Number>" and a specific Destination Port "dport=<IANA_Port_Number>"

  • In addition:

    • For specific TCP port, you can use "tcpport(<IANA_Port_Number>)", which applies to both Source TCP Port and Destination TCP Port

    • For specific UDP port, you can use "udpport(<IANA_Port_Number>)", which applies to both Source UDP Port and Destination UDP Port

Example filters:

  • Capture everything to/from port X:

    [Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "(sport=x or dport=x), accept;" -o /var/log/fw_mon.cap

  • Capture everything except port X:

    [Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "not (sport=x or dport=x), accept;" -o /var/log/fw_mon.cap

  • Capture everything except SSH:

    [Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "not (sport=22 or dport=22), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "not tcpport(22), accept;" -o /var/log/fw_mon.cap

  • Capture everything to/from host X except SSH:

    [Expert@HostName]# fw monitor -e "(host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) and (not (sport=22 or dport=22))), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "(host(x.x.x.x) and not tcpport(22)), accept;" -o /var/log/fw_mon.cap

  • Capture everything except NTP:

    [Expert@HostName]# fw monitor -e "not udpport(123), accept;" -o /var/log/fw_mon.cap

Note - You must specify protocol numbers in Decimal format. Refer to the /etc/protocols file on the Security Gateway, or to IANA Protocol Numbers.

To specify a protocol, you can use one of these expressions:

  • Use "ip_p=<IANA_Protocol_Number>"

    Examples:

    • To specify TCP protocol with byte offset, use "ip_p=6"

    • To specify UDP protocol with byte offset, use "ip_p=11"

    • To specify ICMP protocol with byte offset, use "ip_p=1"

  • Use "accept [9:1]=<IANA_Protocol_Number>"

    Examples:

    • To specify TCP protocol with byte offset, use "accept [9:1]=6"

    • To specify UDP protocol with byte offset, use "accept [9:1]=11"

    • To specify ICMP protocol with byte offset, use "accept [9:1]=1"

  • In addition, you can explicitly use these expressions to specify protocols:

    Which protocol to specify

    On which port(s) traffic is captured

    Expression

    TCP

    N / A

    "tcp, accept;"

    UDP

    N / A

    "udp, accept;"

    ICMPv4

    N / A

    "icmp, accept;"

    or

    "icmp4, accept;"

    ICMPv6

    N / A

    "icmp6, accept;"

    HTTP

    TCP 80

    "http, accept;"

    HTTPS

    TCP 443

    "https, accept;"

    PROXY

    TCP 8080

    "proxy, accept;"

    DNS

    UDP 53

    "dns, accept;"

    IKE

    UDP 500

    "ike, accept;"

    NAT-T

    UDP 4500

    "natt, accept;"

    ESP and IKE

    IP proto 50 and UDP 500

    "vpn, accept;"

    All VPN-related data:

    1. ESP

    2. IPsec over UDP

    3. IKE

    4. NAT-T

    5. CRL

    6. RDP

    7. Tunnel Test

    8. Topology

    9. L2TP

    10. SCV

    11. Multi-Portal

    12. and so on

    1. IP proto 50

    2. UDP 2746

    3. UDP 500

    4. UDP 4500

    5. TCP 18264

    6. UDP 259

    7. UDP 18234

    8. TCP 264

    9. TCP 1701

    10. UDP 18233

    11. TCP 443 + TCP 444

    12. and so on

    "vpnall, accept;"

    Multi-Portal connections

    TCP 443 and TCP 444

    "multi, accept;"

    SSH

    TCP 22

    "ssh, accept;"

    FTP

    TCP 20 and TCP 21

    "ftp, accept;"

    Telnet

    TCP 23

    "telnet, accept;"

    SMTP

    TCP 25

    "smtp, accept;"

    POP3

    TCP 110

    "pop3, accept;"

Example filters:

  • Filter to capture everything on protocol X:

    [Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap

  • Filter to capture rverything on protocol X and port Z on protocol Y:

    [Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap

  • Filter to capture capture everything TCP between host X and host Y:

    [Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "tcp, host(x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/fw_mon.cap

    [Expert@HostName]# fw monitor -e "accept [9:1]=6 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"

    [Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

Note - Refer to the $FWDIR/lib/tcpip.def file on Security Gateway.

Option Description

Expression

Example

Source IPv4 address of the IPv4 packet

ip_src = <IPv4_Address>

fw monitor -e "ip_src = 192.168.22.33, accept;"

Destination IPv4 address of the IPv4 packet

ip_dst = <IPv4_Address>

fw monitor -e "ip_dst = 192.168.22.33, accept;"

Time To Live of the IPv4 packet

ip_ttl = <Number>

fw monitor -e "ip_ttl = 255, accept;"

Total Length of the IPv4 packet in bytes

ip_len = <Length_in_Bytes>

fw monitor -e "ip_len = 64, accept;"

TOS field of the IPv4 packet

ip_tos = <Number>

fw monitor -e "ip_tos = 0, accept;"

IANA Protocol Number (either in Dec or in Hex) encapsulated in the IPv4 packet

ip_p = <IANA_Protocol_Number>

Example for TCP:

fw monitor -e "ip_p = 6, accept;"

Examples for UDP:

fw monitor -e "ip_p = 17, accept;"

fw monitor -e "ip_p = 0x11, accept;"

Example for ICMPv4:

fw monitor -e "ip_p = 1, accept;"

Option Description

Expression

Example

Source IPv6 address of the IPv6 packet

ip_src6p = <IPv6_Address>

fw monitor -e "ip_src6p = 0:0:0:0:0:ffff:c0a8:1621, accept;"

Destination IPv6 address of the IPv6 packet

ip_dst6p = <IPv6_Address>

fw monitor -e "ip_dst6p = 0:0:0:0:0:ffff:c0a8:1621, accept;"

Payload Length of the IPv6 packet in bytes

ip_len6 = <Length_in_Bytes>

fw monitor -e "ip_len6 = 1000, accept;"

Hop Limit ("Time To Live") of the IPv6 packet

ip_ttl6 = <Number>

fw monitor -e "ip_ttl6 = 255, accept;"

Next Header of the IPv6 packet - encapsulated IANA Protocol Number

ip_p6 = <IANA_Protocol_Number>

fw monitor -e "ip_p6 = 6, accept;"

Option Description

Expression

Example

SYN flag is set in TCP packet

syn

fw monitor -e "ip_p = 6, syn, accept;"

ACK flag is set in TCP packet

ack

fw monitor -e "ip_p = 6, ack, accept;"

RST flag is set in TCP packet

rst

fw monitor -e "ip_p = 6, rst, accept;"

FIN flag is set in TCP packet

fin

fw monitor -e "ip_p = 6, fin, accept;"

First packet of TCP connection

(SYN flag is set, but ACK flag is not set in TCP packet)

first

fw monitor -e "ip_p = 6, first, accept;"

Not the first packet of TCP connection

(SYN flag is not set in TCP packet)

not_first

fw monitor -e "ip_p = 6, not_first, accept;"

Established TCP connection

(either ACK flag is set, or SYN flag is not set in TCP packet)

established

fw monitor -e "ip_p = 6, established, accept;"

Last packet of TCP connection

(both ACK flag and FIN flag are set in TCP packet)

last

fw monitor -e "ip_p = 6, last, accept;"

End of TCP connection

(either RST flag is set, or FIN flag is set in TCP packet)

tcpdone

fw monitor -e "ip_p = 6, tcpdone, accept;"

General way to match the flags inside in TCP packets

th_flags = <Sum_of_Flags_Hex_Values>

TCP Flag

Example

SYN (0x2)

fw monitor -e "th_flags = 0x2, accept;"

ACK (0x10)

fw monitor -e "th_flags = 0x10, accept;"

PSH (0x8)

fw monitor -e "th_flags = 0x8, accept;"

FIN (0x1)

fw monitor -e "th_flags = 0x1, accept;"

RST (0x4)

fw monitor -e "th_flags = 0x4, accept;"

URG (0x20)

fw monitor -e "th_flags = 0x20, accept;"

SYN + ACK

fw monitor -e "th_flags = 0x12, accept;"

PSH + ACK

fw monitor -e "th_flags = 0x18, accept;"

FIN + ACK

fw monitor -e "th_flags = 0x11, accept;"

RST + ACK

fw monitor -e "th_flags = 0x14, accept;"

TCP source port

th_sport = <Port_Number>

fw monitor -e "th_sport = 59259, accept;"

TCP destination port

th_dport = <Port_Number>

fw monitor -e "th_dport = 22, accept;"

TCP sequence number (either in Dec or in Hex)

th_seq = <Number>

Example for Dec format:

fw monitor -e "th_seq = 3937833514, accept;"

Example for Hex format:

fw monitor -e "th_seq = 0xeab6922a, accept;"

TCP acknowledged number (either in Dec or in Hex)

th_ack = <Number>

Example for Dec format:

fw monitor -e "th_ack = 509054325, accept;"

Example for Hex format:

fw monitor -e "th_ack = 0x1e578d75, accept;"

Option Description

Expression

Example

UDP source port

uh_sport = <Port_Number>

fw monitor -e "uh_sport = 53, accept;"

UDP destination port

uh_dport = <Port_Number>

fw monitor -e "uh_dport = 53, accept;"

Option Description

Expression

Example

ICMPv4 packets with specified Type

icmp_type = <Number>

fw monitor -e "icmp_type = 0, accept;"

ICMPv4 packets with specified Code

icmp_code = <Number>

fw monitor -e "icmp_code = 0, accept;"

ICMPv4 packets with specified Identifier

icmp_id = <Number>

fw monitor -e "icmp_id = 20583, accept;"

ICMPv4 packets with specified Sequence number

icmp_seq = <Number>

fw monitor -e "icmp_seq = 1, accept;"

ICMPv4 Echo Request packets (Type 8, Code 0)

echo_req

fw monitor -e "echo_req, accept;"

ICMPv4 Echo Reply packets (Type 0, Code 0)

echo_reply

fw monitor -e "echo_reply, accept;"

ICMPv4 Echo Request and ICMPv4 Echo Reply packets

ping

fw monitor -e "ping, accept;"

Traceroute packets as implemented in Unix OS

(UDP packets on ports above 30000 and

with TTL<30; or ICMP Time exceeded packets)

traceroute

fw monitor -e "traceroute, accept;"

Traceroute packets as implemented in Windows OS

(ICMP Request packets with TTL<30;

or ICMP Time exceeded packets)

tracert

fw monitor -e "tracert, accept;"

Length of ICMPv4 packets

icmp_ip_len = <length>

fw monitor -e "icmp_ip_len = 84, accept;"

Option Description

Expression

Example

ICMPv6 packets with specified Type

icmp6_type = <Number>

fw monitor -e "icmp6_type = 1, accept;"

ICMPv6 packets with specified Code

icmp6_code = <Number>

fw monitor -e "icmp6_code = 3, accept;"

Syntax:

fw monitor -e "accept [ <Offset> : <Length> , <Byte Order> ] <Relational-Operator> <Value>;"

Parameters:

Parameter

Explanation

<Offset>

Specifies the offset relative to the beginning of the IP packet from where the value should be read.

<Length>

Specifies the number of bytes:

  • 1 = byte

  • 2 = word

  • 4 = dword

If length is not specified, FW Monitor assumes 4 (dword).

<Byte Order>

Specifies the byte order:

  • b = big endian, or network order

  • l = little endian, or host order

If order is not specified, FW Monitor assumes little endian byte order.

<Relational-Operator

Relational operator to express the relation between the packet data and the value:

  • < - less than

  • > - greater than

  • <= - less than or equal to

  • >= - greater than

  • = or is - equal to

  • != or is not - not equal to

<Value>

One of the data types known to INSPECT (for example, an IP address, or an integer).

Explanations:

  • The IP-based protocols are stored in the IP packet as a byte at offset 9.

    • To filter based on a Protocol encapsulated into IP, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [9:1]=<IANA_Protocol_Number>;"

  • The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address).

    • To filter based on a Source IP address, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [12:4,b]=<IP_Address_in_Doted_Decimal_format>;"

    • To filter based on a Destination IP address, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [16:4,b]=<IP_Address_in_Doted_Decimal_format>;"

  • The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port).

    • To filter based on a Source port, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [20:2,b]=<Port_Number_in_Decimal_format>;"

    • To filter based on a Destination port, use this syntax:

      [Expert@HostName]# fw monitor -e "accept [22:2,b]=<Port_Number_in_Decimal_format>;"

Example filters:

  • Capture everything between host X and host Y:

    [Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));"

  • Capture everything on port X:

    [Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap

You must specify the network address and length of network mask (number of bits).

There are 3 options:

Traffic direction

Expression

To or From a network

"net(<Network_IP_Address>, <Mask_Length>), accept;"

To a network

"to_net(<Network_IP_Address>, <Mask_Length>), accept;"

From a network

"from_net(<Network_IP_Address>, <Mask_Length>), accept;"

Example filters:

  • Capture everything to/from network 192.168.33.0 / 24:

    [Expert@HostName]# fw monitor -e "net(192.168.33.0, 24), accept;"

  • Capture everything sent to network 192.168.33.0 / 24:

    [Expert@HostName]# fw monitor -e "to_net(192.168.33.0, 24), accept;"

  • Capture everything sent from network 192.168.33.0 / 24:

    [Expert@HostName]# fw monitor -e "from_net(192.168.33.0, 24), accept;"

Filter in only TCP protocol, and HTTP and HTTPS ports

Filter out the SSH and FW Logs

[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap

Examples for the "-F" parameter

You can specify up to 5 capture filters with this parameter (up to 5 instances of the "-F" parameter in the syntax).

The FW Monitor performs the logical "OR" between all specified simple capture filters.

Value 0 is used as "any".

[Expert@HostName]# fw monitor -F "0,0,0,0,0" -o /var/log/fw_mon.cap

  • Capture all traffic from Source IP x.x.x.x (any port) to Destination IP y.y.y.y (any port), over all protocols:

    [Expert@HostName]# fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -o /var/log/fw_mon.cap

  • Capture all traffic between Host x.x.x.x (any port) and Host y.y.y.y (any port), over all protocols:

    [Expert@HostName]# fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -F "y.y.y.y,0, x.x.x.x ,0,0" -o /var/log/fw_mon.cap

  • Capture traffic from any Source IP from Source Port X to any Destination IP to Destination Port Y, over all protocols:

    [Expert@HostName]# fw monitor -F "0,x,0,y,0" -o /var/log/fw_mon.cap

  • Capture traffic between all hosts, between Port X and Port Y, over all protocols:

    [Expert@HostName]# fw monitor -F "0,x,0,y,0" -F "0,y,0,x,0" -o /var/log/fw_mon.cap

  • Capture traffic between all hosts, between all ports, over a Protocol with assigned number X:

    [Expert@HostName]# fw monitor -F "0,0,0,0,x" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -F "a.a.a.a,b,c.c.c.c,d,e" -F "c.c.c.c,d,a.a.a.a,b,e" -o /var/log/fw_mon.cap

To capture only HTTP traffic between the Client 1.1.1.1 and the Server 2.2.2.2:

fw montior –F "1.1.1.1,0,2.2.2.2,80,6" –F "2.2.2.2,80,1.1.1.1,0,6" -o /var/log/fw_mon.cap