This command allows you to monitor network traffic going through the FireWall-1 Kernel
Module. This is sort of like tcpdump except that it shows you what things look like
from the perspective of various parts of FireWall-1 and can be used to monitor all
interfaces simultaneously.
There are four "inspection" points as packets pass through FireWall-1. We choose where
we want to "see" packets with the -m option:
Before FireWall-1 processes the packet in the inbound direction (i or PREIN)
After FireWall-1 processes packet in the inbound direction (I or POSTIN)
Before FireWall-1 processes the packet in the outbound direction (o or PREOUT)
After FireWall-1 process the packet in the outbound direction (O or POSTOUT)
Since there can be lots of packets, we need some way of determing which packets we are
interested in seeing. We do this by means of an INSPECT filter, which can be typed in
directly on the command line or via an INSPECT filter file. One of these options (-f
or -e) is required.
Once you execute this command, FireWall-1 will compile the specified INSPECT script
(either on the command line or in a file), load it into the kernel modle, and display
them in the terminal window or to the output file (which is snoop format). It will
continue to do this until an interrupt signal is sent to the program (Ctrl-C), after
which it will unload the filter and exit.
The INSPECT script should return an "accept" in order for packets to be displayed. Any
other return code will cause packets not to be displayed. If you want to only catch
packets on a certain interface, do not use 'le0@all' (for example), but instead use
'direction=x,ifid=y' where x=0 for inbound, 1 for outbound, and y is an interface
number returned by the 'fw ctl iflist' command. Do not use table names that are used
by the security policy.
Command Line Options
-d Turn on dodebugptr
-D Turn on dodebugptr
-e Specify an INSPECT program line (multiple -e options can be used)
-f INSPECT filter name ('-' can be used to specify standard input). The -f and -e
options are mutually exclusive.
-l Specify how many bytes of the packet should be transferred from the kernel.
-m Specify inspection points mask, any one or more of i, I, o, O as explained above.
-o Specify an output file. They can be viewed with the 'snoop' command on Solaris.
This is only valid on 4.0 SP3 and later.
-x Perform a hex dump of the received data, starting at specify offset and printing
out 'len' bytes.
Examples
fw monitor -e '[9:1]=6, accept\;' -l 100 -m iO -x 20 will display all TCP packets
entering and leaving FireWall-1. Up to 80 bytes of TCP header and data will be
displayed (assuming no IP Options are used)
fw monitor -e 'accept\;' -m iI will display all packets entering and exiting
FireWall-1 in the inbound direction (i.e. before the OS routes the packet).
fw monitor -e 'accept ifid=0,src=10.0.0.1 or dst=10.0.0.1\;' will show you all packets
in interface ID 0 coming from or going to 10.0.0.1. The value used for ifid
corresponds to a number given to an interface by FireWall-1. You can determine which
interface has which number by using the command fw ctl iflist.
fw monitor -e 'accept ifid=0,src=10.0.0.1 or dst=10.0.0.1,ip_p=47\;' does the same
thing as the previous command except it looks for packets of IP Protocol 47 only.
fw monitor -e 'accept tcp,dport=80 or sport=80,src=10.0.0.1 or dst=10.0.0.1\;' shows
all tcp packets going to or from 10.0.0.1 with either a source port of 80 or a
destination port of 80.
Warnings
Don't mess with tables used in the security policy or unexpected behaviour may result
(including a system crash).
Packets are defragmented as the packets leave FireWall-1 in both the inbound and
outbound direction.
Anything that causes a fetch, load, or unload of your security policy will cause fw
monitor to exit.
If you are originating any Multicast routing packets from IPSO (for example, for OSPF
routing or routing multicast), this will cause the 'fw monitor' program to terminate
unless they are filtered out by the INSPECT script. This is because FireWall-1
attempts to associate a particular interface with these packets and is unable to. This
issue has been fixed in FireWall-1 4.1 SP2 build 20.
----- Original Message -----
From: "Arno Hechenberger" <[EMAIL PROTECTED]>
To: "'Victor Barrientos'" <[EMAIL PROTECTED]>; "FW-1 Mailing List (E-Mail)"
<[EMAIL PROTECTED]>
Sent: Monday, November 27, 2000 6:38 AM
Subject: AW: [FW1] fw monitor command
I should have a detailed explanation of fw monitor toooo !!!!
I have no account at NOKIA :-((
Arno
-----Urspr�ngliche Nachricht-----
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von
Victor Barrientos
Gesendet: Mittwoch, 02. August 2000 17:52
An: [EMAIL PROTECTED]
Betreff: [FW1] fw monitor command
Can anyone explain me the fw monitor command ?
TIA
Victor Barrientos
Security Engineer
Tivoli Certified Consultant
RSA Security Certified RSA ACE/Server Engineer
Tel: 54-11-4819-3903
Fax: 54-11-4811-7103
Telef�nica
unifon
www.unifon.com.ar
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
