topic Re: Traffic capture with FW MONITOR in Firewall and Security Management

Traffic capture with FW MONITOR

Matlu — Tue, 01 Apr 2025 19:38:05 GMT

Hello, Mates.
What is the correct syntax to apply the “FW MONITOR” in troubleshooting moments, where you need to capture traffic?

Is it “fw monitor -e ....” or is it “fw monitor -F” ....

I see that some people use one over the other, but it seems to me that it is according to a matter of “preference” of each administrator.

If I want to capture traffic for example from this array:
IP SOURCE: 192.168.100.20
DESTINATION IP: 10.100.100.50
DESTINATION PORT: 4443

Which of the fw monitor syntaxes is the most “recommended” to apply in a GW?

Greetings.

Re: Traffic capture with FW MONITOR

Bob_Zimmerman — Tue, 01 Apr 2025 19:59:03 GMT

-e takes an INSPECT code fragment and effectively causes the firewall kernel to capture traffic which matches that fragment. This only works when the traffic actually makes it to the firewall kernel, though. SecureXL exists specifically to skip over this code, so when SecureXL is enabled, most of the capture points won't record anything.

-F is the current way to write filters. It's not very flexible. There's no way to specify a source or destination network, or a range of ports. That said, it works with SecureXL enabled. As long as the traffic you want to capture can fit into the five -F filter slots, it's the method to use.

Re: Traffic capture with FW MONITOR

Matlu — Tue, 01 Apr 2025 20:30:16 GMT

Hello,
If I have the SXL disabled on the box, the “fw monitor -F ...” filter will not work?
Do I have to enable SXL for it to work properly?

Could you share with me, what would be the syntax of the command, if I need to use this data in the “fw monitor”, please
IP SOURCE: 192.168.100.20
DESTINATION IP: 10.100.100.50
DESTINATION PORT: 4443

Thank you.

Re: Traffic capture with FW MONITOR

PhoneBoy — Tue, 01 Apr 2025 21:54:16 GMT

In general, the following website is helpful at showing you what the correct syntax is for packet captures of all kinds: https://tcpdump101.com/
@the_rock and I are both familiar with the guy behind it 🙂

To answer your specific question: fw monitor -F "192.168.100.20,0,10.100.100.50,4443,0" -F "10.100.100.50,4443,192.168.100.20,0,0"

Re: Traffic capture with FW MONITOR

the_rock — Tue, 01 Apr 2025 22:24:52 GMT

Yes sir, and he is still trying to make that site even better, when he got time, which is not often lol

Anyway, I will tell him you said hi 🙂

Andy

Re: Traffic capture with FW MONITOR

Matlu — Tue, 01 Apr 2025 22:28:49 GMT

Hey Bro.

To capture encrypted traffic, related to S2S VPN, the “fw monitor -F ....” filter is more than enough?

Or should the “-F” be replaced by “-e” in the command syntax?

🤙

Re: Traffic capture with FW MONITOR

the_rock — Tue, 01 Apr 2025 22:33:59 GMT

If its encrypted, you would probably never see big 0, but you can try either flag.

Andy

Re: Traffic capture with FW MONITOR

PhoneBoy — Tue, 01 Apr 2025 23:29:12 GMT

Encrypted traffic runs in SecureXL usually, so -F is still needed.
Note that you can have up to five -F statements in an fw monitor, which is enough to see both the IPsec traffic and an unencrypted flow.

Re: Traffic capture with FW MONITOR

the_rock — Tue, 01 Apr 2025 23:39:53 GMT

I keep forgetting 5 -F flags, tx for a reminder. I always say to people there is no limit to it, but most I had seen them run is 3 times lol

Andy

Re: Traffic capture with FW MONITOR

the_rock — Tue, 15 Apr 2025 01:04:03 GMT

Bro,

@Bob_Zimmerman described it perfectly, so, keep in mind, -e flag is not super useful if sxl is on, but -F would be.

Andy

Re: Traffic capture with FW MONITOR

Bob_Zimmerman — Wed, 02 Apr 2025 05:38:04 GMT

The -F filters are only supported by recent versions. I forget which first added it. On versions which support it, it works all the time, regardless of whether SecureXL is enabled or disabled. The filter is in the form of five values separated by commas like this: "0,0,0,0,0". A 0 in a field is a wildcard. The fields are source IP, source port, destination IP, destination port, and IP protocol.

Note that these filters are directional. If you want to catch a whole conversation, you need to use two filters. For the values you specified, I would run the capture like so:

fw monitor \ -F "192.168.100.20,0,10.100.100.50,4443,0" \ -F "10.100.100.50,4443,192.168.100.20,0,0" \ ...

The backslashes let me spread the command onto multiple lines. This helps catch errors in the filters, since the filters to catch both directions of a single conversation should be the same length. Replace the '...' with whatever other flags you want to add. -w to catch whole packets, -o <file> to write to a file, and so on.

Re: Traffic capture with FW MONITOR

Timothy_Hall — Wed, 02 Apr 2025 11:56:36 GMT

The -F flag for fw monitor was added in one of the Jumbo HFAs for R80.20 right around the time of the major rework of SecureXL. fw monitor -F is actually starting a filtered debug in the sim driver itself on the SND core which is why the syntax is so restrictive, but it does allow a full capture regardless of the state of SecureXL.

Re: Traffic capture with FW MONITOR

Matlu — Wed, 02 Apr 2025 13:36:25 GMT

Hi.

To capture ICMP traffic do you have to change the command syntax a lot?

If it is required to do an ICMP test between 192.168.10.100 and IP 172.16.100.10, the command syntax changes a lot?

Thank you.

Re: Traffic capture with FW MONITOR

Timothy_Hall — Wed, 02 Apr 2025 14:09:08 GMT

ICMP always goes slowpath, so you can use fw monitor -e if desired, obviously -F will work too.

Re: Traffic capture with FW MONITOR

Matlu — Wed, 02 Apr 2025 15:55:07 GMT

Hi.
On many occasions I often forget to turn off SXL, and so I want to run a 'FW Monitor...' that does not depend on SXL.
I understand that the best option in this case would be to apply the ‘F’ in the command syntax, right?
Greetings. 🙏

Re: Traffic capture with FW MONITOR

JaAnd — Wed, 02 Apr 2025 18:57:19 GMT

Hi,

in such case I would run

- g_ as I am happy user of Maestro - always suprises me 🙂

- I am assuming, that TCP is considered, thus I am using IANA number protocol of 6,

- I also like to see packets path so adding a -p all

- Sometimes I am adding -T, but only when someone is complaining about latency

g_fw monitor -F "192.168.100.20,0,10.100.100.50,4443,6" -F "10.100.100.50,4443,192.168.100.20,0,6" -p all

Re: Traffic capture with FW MONITOR

Timothy_Hall — Wed, 02 Apr 2025 19:13:50 GMT

Oof, be careful using the -p all option on a production gateway. Instead of showing each accepted packet 4-6 times (iIoO), -p all will show each accepted packet at least 40 times, basically as it transitions between each individual software chain module (fw ctl chain).

Re: Traffic capture with FW MONITOR

Bob_Zimmerman — Wed, 02 Apr 2025 19:34:03 GMT

Note the IP protocol is 0, the special wildcard value, in both of the filters I listed. If you just set the port to 0 as well, you will catch ICMP, TCP, UDP, ESP, whatever else between those two endpoints:

fw monitor \ -F "192.168.100.20,0,10.100.100.50,0,0" \ -F "10.100.100.50,0,192.168.100.20,0,0" \ ...

Re: Traffic capture with FW MONITOR

JaAnd — Wed, 02 Apr 2025 20:00:01 GMT

Good point, thanks ! I never had any issues while using this parameter, I have seen the warning of high CPU usage, but many (if not the most) of the CP debugging tools bare this badge 🤔

Luckily my setup is scaled very well - lot's of umff left for debugs. I should have added, that I will use -p only in case of "difficult customers", the beautiful output it gives might be overwhelming 🤣

And once again - THANK THANK THAAANK you Sir, for your last webinar, what a great knowledge booster ! I am still studying it, but I have already found solutions to some of the problems on my setup.

Re: Traffic capture with FW MONITOR

the_rock — Wed, 02 Apr 2025 20:42:38 GMT

I would say using -F flag is probably safest.

Andy