Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
796570686578
Collaborator

R80.40, fw monitor -F not capturing HTTP/Get & OK ?

Hello everyone,

I am currently trying to get a better understanding on how "fw monitor" works and how to use it. For that, I am currently comparing output from R80.10 and R80.40(take_67) in my Lab.

I am capturing http traffic from Host A to Webserver B . My topology looks like this:

Webserver B ---- FW R80.10  ---- FW R80.40 ---- Host A

Webserver B IP: 192.168.1.100

Host A: 172.16.10.150 - NAT to 67.83.0.1(FW R80.40)

I am capturing the traffic from Host A to Webserver B in both directions on both Gateways.

On R80.10 I disabled SecureXL to capture accelerated packets aswell and on R80.40 I am using the -F flag to capture accelerated and non accelerated traffic.

It works to a certain point, but I am running into an issue which I haven't found a solution for  so far.

I can see the 3-way handshake in both captures, on R80.10 I see the HTTP/Get & OK but on R80.40 it is not beeing captured...

These are the filters I am using:

R80.10:

fwaccell off

fw monitor -e "accept (src=67.83.0.1 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1);" -o fwmonR8010AccCap.pcap

 

R80.40:

fw monitor -F "172.16.10.150,0,192.168.1.100,80" -F "192.168.1.100,80,67.83.0.1,0" -o fwmonR8040AccCap.pcap
 
Can you tell me what I am doing wrong or missing here?
Thank you very much!!
 
greeting,
con

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Pretty sure you use the same syntax that you used in R80.10 on R80.40.
However, will admit the SK isn’t that clear on this.

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
796570686578
Collaborator

Hey  PhoneBoy,

thanks for your help! Unfortunately, this didn't show different results.

I have used the equivalent syntax on R80.40 as I did on R80.10 and still didn't capture the HTTP messages. I also disabled SecureXL beforehand on R80.40.

When using the -e Flag on R80.40 it actually says in the output: 

*** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter ***

I was able to start the capture but again only saw 3-Way HS & PSH,ACKs on R80.40 while on R80.10 I was able to capture the http packets.

 

I also read the SK, thanks for sharing it. What I gathered from it, is, that since R80.40, Accelerated Traffic will be captured by default and the "-F" flag can be used for that.

  • In R80.40, Default behavior will be to monitor all traffic.
  • Since R80.20 Jumbo take 73, using the "-e" flag will not filter accelerated traffic (all accelerated traffic will be monitored). To Filter accelerated traffic use the "-F" flag (exists from Jumbo take 73)
  • Since R80.20 Jumbo take 117, using the "-e" flag will filter out all accelerated traffic. To filter and monitor Accelerated traffic use "-F" (exists from Jumbo take 73)


From the R80.40 Admin Guide: 
"-F" - Specifies the capture filter (for both accelerated and non-accelerated traffic)

 

The more I read about it, the more I am convinced that it is not working as intended or I am doing some major mistakes..

Summary of capture Filters I have used so far on R80.40:

  • fw monitor
    • -F "172.16.10.150,0,192.168.1.100,80" -F "192.168.1.100,80,67.83.0.1,0"
    • -F "0,0,0,0,0" <- Capture everything
    • -F "172.16.10.150,0,192.168.1.100,0" -F "192.168.1.100,0,67.83.0.1,0" <- Capture all traffic between 2 hosts
    • -e "accept (src=172.16.10.150 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1) or (src=67.83.0.1 and dst=192.168.1.100);"
    • -e "accept;" <- Capture everything

I really like the idea of capturing accelerated traffic without the need to disable SecureXL on the whole system. I will test this with other protocols aswell and report back my findings 🙂

 

 

 

 

 

0 Kudos
_Val_
Admin
Admin

I suspect even after disabling SecureXL, traffic is being accelerated: sk162492. In essense, you cannot disable SXL in R8020 and above completely. 

What to do to make sure no accelerated traffic is passing?

  • Disable acceleration on both cluster members
  • Fail over
  • Run traces on the new active member
0 Kudos
796570686578
Collaborator

Good Morning Val!

Sorry, I might not have expressed my issue correctly. It's not that accelerated traffic isn't passing, it works fine. The issue is, that I am not able to capture it (No HTTP/Get & OK packets) with the -F filter. So I just tested it with the -e Flag as PhoneBoy suggested.

I will do a Fail over later and report back!

0 Kudos
Maarten_Sjouw
Champion
Champion

You can replace -e "accept (src=172.16.10.150 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1) (src=67.83.0.1 and dst=192.168.1.100);" with this:

-e "accept (host(192.168.1.100) AND host(172.16.10.150)) OR (host(192.168.1.100) AND host(67.83.0.1))

Regards, Maarten
0 Kudos
796570686578
Collaborator

Hey Maarten,

thanks for that. Great way to simplify it and much easier to read! Thanks alot 🙂

 

0 Kudos
Václav_Brožík
Collaborator

You can replace -e "accept (host(192.168.1.100) AND host(172.16.10.150)) OR (host(192.168.1.100) AND host(67.83.0.1));" with this:

-e "accept host(192.168.1.100) and (host(172.16.10.150) or host(67.83.0.1));"

796570686578
Collaborator

I found the issue...😅

I had to use the "-w" flag aswell in order to capture the GET & OK packets. I tried it with ftp aswell and when not using the "-w" flag, these packets are not captured. Weird hmmm..

so syntax would be: fw monitor -w -F etc.

But at least it works now 🙂 

-w

When using -o/ -x flag, there is an option to print whole raw data of packet.

Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.

 

Thanks for your help!

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events