Wireshark modification for FW Monitor files

Document created by Maarten Sjouw on Feb 4, 2019

Version 1Show Document

Like • Show 4 Likes4
Comment • 2
View in full screen mode

This is the description of how Check Point used to modify Ethereal and called it CPEthereal, Ethereal has since moved on to become Wireshark.

To customize Wireshark to properly read and interpret FW Monitor files this is the way to do it:
From the Menu Edit choose Preferences, go to protocols Ethernet Select the ‘Attempt to interpret as Firewall-1 monitor file’ option

In the columns add a new column and name it Interface, from the possible fields choose “FW-1 monitor if/direction”

Now you will be able to properly read FW Monitor files but to make the result more readable you can also add some colorization rules by going to the View menu and choose the Coloring rules option

Add these new rules:

After creation move these rules to the top.

The result (this was a very old file capture on a Nokia):

Regards, Maarten.

5 people found this helpful

Attachments

Outcomes

2 Comments

Günther W. Albrecht Feb 5, 2019 4:07 AM
This is just an excerpt from sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet without referencing the sk and leaving out a lot of details. Also, you may need sk43076: How to work with large traffic capture files !
1 person found this helpful
Like • Show 1 Like1
Actions
- Maarten Sjouw @ Günther W. Albrecht on Feb 5, 2019 8:16 AM
  Gunther,
  
  I have written and posted this text on CPUG around august 2008, so if there is any referencing to be made it would be the other way around.
  But to be frank, the way to view the packets as described above with colorization is not something they show in that SK.
  2 people found this helpful
  Like • Show 2 Likes2
  Actions

Wireshark modification for FW Monitor files

Attachments

Outcomes

Related Content

Recommended Content