This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maarten_Sjouw
Champion
Champion
‎2019-02-04 10:27 PM
Jump to solution

Wireshark modification for FW Monitor files

This is the description of how Check Point used to modify Ethereal and called it CPEthereal, Ethereal has since moved on to become Wireshark.

To customize Wireshark to properly read and interpret FW Monitor files this is the way to do it:
From the Menu Edit choose Preferences, go to protocols Ethernet Select the ‘Attempt to interpret as Firewall-1 monitor file’ option

In the columns add a new column and name it Interface, from the possible fields choose “FW-1 monitor if/direction”

Now you will be able to properly read FW Monitor files but to make the result more readable you can also add some colorization rules by going to the View menu and choose the Coloring rules option

Add these new rules:


After creation move these rules to the top.

The result (this was a very old file capture on a Nokia):


Regards, Maarten.

Regards, Maarten
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-02-05 04:07 AM
Jump to solution

This is just an excerpt from sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet without referencing the sk and leaving out a lot of details. Also, you may need sk43076: How to work with large traffic capture files !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

3 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-02-05 04:07 AM
Jump to solution

This is just an excerpt from sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet without referencing the sk and leaving out a lot of details. Also, you may need sk43076: How to work with large traffic capture files !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Maarten_Sjouw
Champion
Champion
‎2019-02-05 08:16 AM
Jump to solution

Gunther,

I have written and posted this text on CPUG around august 2008, so if there is any referencing to be made it would be the other way around.

But to be frank, the way to view the packets as described above with colorization is not something they show in that SK.

Regards, Maarten
Thomas_Hesse
Participant
‎2022-12-14 06:04 AM
In response to Maarten_Sjouw
Jump to solution

You can import a file with the following text

----------------------------------------------------

@FW1-o@fw1.direction contains "o"@[51657,63993,51400][0,0,0]
@FW1-O@fw1.direction contains "O"@[36494,65535,46260][0,0,0]
@FW1-oe@fw1.direction contains "oe"@[0,65535,0][21845,0,65535]
@FW1-OE@fw1.direction contains "OE"@[0,57825,0][21845,0,65535]
@FW1-i@fw1.direction contains "i"@[64764,55255,65535][0,0,0]
@FW1-I@fw1.direction contains "I"@[65535,43690,65535][0,0,0]
@FW1-id@fw1.direction contains "id"@[65535,21845,65535][21845,0,65535]
@FW1-ID@fw1.direction contains "ID"@[65535,0,65535][21845,0,65535]

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events