topic Re: How to read packet-captured file by fw monitor:R81.20 open server in Firewall and Security Management

How to read packet-captured file by fw monitor:R81.20 open server

saitoh — Fri, 06 Sep 2024 05:07:31 GMT

Hi all,

I am testing how DLP works by FTPing text file containing non-existent organization identity.

The test itself turned out to be successful, apart from the point CP does not produce any alert mail.

I configured it with SmartDashboard to use internal AlmaLinux mail server.

In order to make the problem clear, I firstly tried fw monitor on the CP where DLP is working,

restaging the same scenario.

The console says something, so I read the captured file by cat, only to find it not human-friendly.

That is what I am having trouble with.

The two points I would like to make clear follows;

1. fw monitor file is supposed to be analysed with Wireshark? If so is there any specific procedure to

make it Wireshark-readable?

2. What else do you suggest I should check in this case?

I have only a few month experience of CP and Linux system.

Therefore, your personal experience as well as documentation would much appreciated.

Thanks in advance,

Shuto

Re: How to read packet-captured file by fw monitor:R81.20 open server

AkosBakos — Fri, 06 Sep 2024 07:30:45 GMT

Hi @saitoh

Here is a discussion about this:

https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/td-p/40953

Check it!

Akos

Re: How to read packet-captured file by fw monitor:R81.20 open server

saitoh — Tue, 10 Sep 2024 08:39:23 GMT

P.S.

I just tried extracting the file, made it .pcap and let Wireshark read it.

Wireshark shows what I expect to see, but it contains no smtp traffic.

Anyway I solve how to read fw monitored file somehow.

(Any comments to this procedure is more than appreciated! I just extracted, renamed, and Wiresharked it. Is that good enough?)

Since it contains no smtp traffic, there are two possible causes:

1. simply misoptioned fw monitor command, resulting in capturing non-related traffics.

2. not configured enough associated with alertmail

Re: How to read packet-captured file by fw monitor:R81.20 open server

PhoneBoy — Fri, 06 Sep 2024 12:52:21 GMT

I assume you followed the sk on this topic (referenced in the thread @AkosBakos pointed to): https://support.checkpoint.com/results/sk/sk39510

What precise fw monitor syntax did you use the capture traffic?
Also; what version/JHF since that does matter to a degree.

Re: How to read packet-captured file by fw monitor:R81.20 open server

Timothy_Hall — Fri, 06 Sep 2024 13:13:49 GMT

The reason that you are experiencing difficulty is that fw monitor writes its raw packet capture output (via -o) in Sun snoop format, whereas tcpdump via -w saves it in pcap format. There is no way I know of to "replay" or make human readable a raw fw monitor capture file from the CLI of Gaia, unless you want to feed it to something like cpmonitor (sk103212) for statistical analysis. pcap captures can be replayed by tcpdump, but tcpdump does not understand snoop format. In the old days on Solaris the snoop command itself could be used to replay these captures, but that command is long gone. Wireshark has to be used now as it can still decode snoop format.

sk39510 and such only talk about how to display the iIoO capture points in Wireshark and adjust the colorization to adapt to the same packet being shown more than once. This is all covered in my Max Capture: Know Your Packets self-guided video course.

Re: How to read packet-captured file by fw monitor:R81.20 open server

saitoh — Tue, 10 Sep 2024 02:32:19 GMT

Hi Akos,

Thank you for sharing the link!

I did not know I could modify the configuration of Wireshark like that.

I will try testing it.

Saitoh

Re: How to read packet-captured file by fw monitor:R81.20 open server

saitoh — Tue, 10 Sep 2024 02:42:24 GMT

Hi PhoneBoy,

I actually did not know that I had to make changes to the configuration of Wireshark.

I somehow surmised fw monitor capture should be able to be analysed by Wireshark.

The syntax I used is as follows.

#fw monitor -d -ci 100 -co 100 -F “10.11.1.1,0” -F “10.31.10.110,25” -o /var/log/fwmonitor -w

Also, R81.20 built 631 with Accumulator T76, and T53 installed.

Saitoh

Re: How to read packet-captured file by fw monitor:R81.20 open server

saitoh — Tue, 10 Sep 2024 02:58:13 GMT

Hi Tim,

Thanks for the highly detailed explanation!

This helps me a lot as it contains the term I did not get to see. I have learnt new things!

Other community members are also telling me that I can actually analyse fw monitor capture by adjusting Wireshark a little.

So I am going to start that point to make it clear whether I did not see any smtp packet because I misconfigured CP or mis-syntaxed fw monitor.

Saitoh

Re: How to read packet-captured file by fw monitor:R81.20 open server

saitoh — Wed, 11 Sep 2024 00:26:47 GMT

Dear all that thankfully helped me a lot,

The cause why CP does not produce any alert email is still unclear, and

somehow my test environment is not working as I expect.

Therefore I recreate it, and test alert mail function the other way than DLP.

Even though I was not able to find out the root cause,

your comments are really instructive in light of the format of fw monitor-captured file.

(especially Snoop format is intriguing to me since I have never heard of it!)

Much appreciated to three legends; @AkosBakos , @PhoneBoy , @Timothy_Hall!

Thanks to your advice I successfully open fw monitor capture file by Wireshark and analysed it.

There is was smtp negotiation observed, so perhaps I should check CP config with detail.

Saitoh