https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/40955#M8653 <HTML><HEAD></HEAD><BODY><P>Gunther,</P><P></P><P>I have written and<A href="https://www.cpug.org/forums/showthread.php/8625-Wireshark-modification-for-FW-Monitor-files?highlight=wireshark"> posted this text on CPUG&nbsp;</A>around august 2008, so if there is any referencing to be made it would be the other way around.</P><P>But to be frank, the way to view the packets as described above with colorization is not something they show in that SK.</P></BODY></HTML> Tue, 05 Feb 2019 16:16:44 GMT Maarten_Sjouw 2019-02-05T16:16:44Z https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/40953#M8651 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #333333; background-color: #fafafa; font-size: 15px;">This is the description of how Check Point used to modify Ethereal and called it CPEthereal, Ethereal has since moved on to become Wireshark.</SPAN></P><P></P><P><SPAN style="font-size: 15px;"><SPAN style="color: #333333; background-color: #fafafa;">To customize&nbsp;</SPAN><SPAN class="" style="color: #417394; background: none repeat-x #ffeb90;">Wireshark</SPAN><SPAN style="color: #333333; background-color: #fafafa;">&nbsp;to properly read and interpret FW Monitor files this is the way to do it:</SPAN></SPAN><BR style="color: #333333; background-color: #fafafa; font-size: 13px;" /><SPAN style="color: #333333; background-color: #fafafa; font-size: 15px;">From the Menu Edit choose Preferences, go to protocols Ethernet Select the ‘Attempt to interpret as Firewall-1 monitor file’ option</SPAN></P><P></P><P><SPAN style="color: #333333; background-color: #fafafa; font-size: 15px;">In the columns add a new column and name it Interface, from the possible fields choose “FW-1 monitor if/direction”</SPAN></P><P></P><P><SPAN style="color: #333333; background-color: #fafafa; font-size: 15px;">Now you will be able to properly read FW Monitor files but to make the result more readable you can also add some colorization rules by going to the View menu and choose the Coloring rules option</SPAN></P><P></P><P><SPAN style="color: #333333; background-color: #fafafa; font-size: 15px;">Add these new rules:</SPAN></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/78231_pastedImage_1.png" /><BR style="color: #333333; background-color: #fafafa; font-size: 13px;" /><SPAN style="color: #333333; background-color: #fafafa; font-size: 15px;">After creation move these rules to the top.</SPAN></P><P></P><P>The result (this was a very old file capture on a Nokia):</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/78232_pastedImage_2.png" /></P><P><BR style="color: #333333; background-color: #fafafa; font-size: 13px;" /><SPAN style="color: #333333; background-color: #fafafa; font-size: 15px;">Regards, Maarten.</SPAN></P></BODY></HTML> Tue, 05 Feb 2019 06:27:35 GMT https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/40953#M8651 Maarten_Sjouw 2019-02-05T06:27:35Z https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/40954#M8652 <HTML><HEAD></HEAD><BODY><P>This is just an excerpt from&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk39510&amp;partition=General&amp;product=Other&quot;">sk39510: How to configure <STRONG>Wireshark</STRONG> to display Check Point FireWall chains in an FW Monitor packet</A>&nbsp;without referencing the sk and leaving out a lot of details. Also, you may need&nbsp;<A class="" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk43076&amp;partition=General&amp;product=Other&quot;">sk43076: How to work with large traffic capture files</A>&nbsp;!</P></BODY></HTML> Tue, 05 Feb 2019 12:07:08 GMT https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/40954#M8652 G_W_Albrecht 2019-02-05T12:07:08Z https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/40955#M8653 <HTML><HEAD></HEAD><BODY><P>Gunther,</P><P></P><P>I have written and<A href="https://www.cpug.org/forums/showthread.php/8625-Wireshark-modification-for-FW-Monitor-files?highlight=wireshark"> posted this text on CPUG&nbsp;</A>around august 2008, so if there is any referencing to be made it would be the other way around.</P><P>But to be frank, the way to view the packets as described above with colorization is not something they show in that SK.</P></BODY></HTML> Tue, 05 Feb 2019 16:16:44 GMT https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/40955#M8653 Maarten_Sjouw 2019-02-05T16:16:44Z https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/165177#M27533 <P>You can import a file with the following text</P><P>----------------------------------------------------</P><P>@FW1-o@fw1.direction contains "o"@[51657,63993,51400][0,0,0]<BR />@FW1-O@fw1.direction contains "O"@[36494,65535,46260][0,0,0]<BR />@FW1-oe@fw1.direction contains "oe"@[0,65535,0][21845,0,65535]<BR />@FW1-OE@fw1.direction contains "OE"@[0,57825,0][21845,0,65535]<BR />@FW1-i@fw1.direction contains "i"@[64764,55255,65535][0,0,0]<BR />@FW1-I@fw1.direction contains "I"@[65535,43690,65535][0,0,0]<BR />@FW1-id@fw1.direction contains "id"@[65535,21845,65535][21845,0,65535]<BR />@FW1-ID@fw1.direction contains "ID"@[65535,0,65535][21845,0,65535]</P> Wed, 14 Dec 2022 14:04:09 GMT https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/m-p/165177#M27533 Thomas_Hesse 2022-12-14T14:04:09Z