Wireshark modification for FW Monitor files

Document created by Maarten Sjouw on Feb 4, 2019
Version 1Show Document
  • View in full screen mode

This is the description of how Check Point used to modify Ethereal and called it CPEthereal, Ethereal has since moved on to become Wireshark.


To customize Wireshark to properly read and interpret FW Monitor files this is the way to do it:
From the Menu Edit choose Preferences, go to protocols Ethernet Select the ‘Attempt to interpret as Firewall-1 monitor file’ option


In the columns add a new column and name it Interface, from the possible fields choose “FW-1 monitor if/direction”


Now you will be able to properly read FW Monitor files but to make the result more readable you can also add some colorization rules by going to the View menu and choose the Coloring rules option


Add these new rules:

After creation move these rules to the top.


The result (this was a very old file capture on a Nokia):

Regards, Maarten.

5 people found this helpful