Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

FW monitor -F syntax

I don't understand why they nerf'd 'fw monitor -e' in favor of 'fw monitor -F'?  My opinions aside ノಠ_ಠノ, how do we convert old syntax such as this:

fw monitor -e "accept net(13.64.0.0,11) and host(10.0.0.1);"

how do I do that with -F?

0 Kudos
2 Replies
Highlighted
Champion
Champion

You don't. -F is a simple capture filter that relies on Kernel Debug filters and doesn't support supernetting. However, it supports using wildcards.

So you have two options:

  1. fw monitor -F "10.0.0.1,0,13.*.*.*,0,0" -F "13.*.*.*,0,10.0.0.1,0,0"
  2. fwaccel off; fw monitor -e "accept net(13.64.0.0,11) and host(10.0.0.1);"; fwaccel on
0 Kudos
Highlighted
Explorer

Option 1 is not the same thing and option 2 isn't really an option because fw monitor -e doesn't work anymore regardless if acceleration is turned on or off.  It will not filter anything and instead spit back what I can only guess is all the traffic.

So basically Checkpoint has removed one of the best troubleshooting methods and that's that.  I can't believe that they've taken fw monitor away from us...

0 Kudos