cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Wireshark modification for FW Monitor files

This is the description of how Check Point used to modify Ethereal and called it CPEthereal, Ethereal has since moved on to become Wireshark.

To customize Wireshark to properly read and interpret FW Monitor files this is the way to do it:
From the Menu Edit choose Preferences, go to protocols Ethernet Select the ‘Attempt to interpret as Firewall-1 monitor file’ option

In the columns add a new column and name it Interface, from the possible fields choose “FW-1 monitor if/direction”

Now you will be able to properly read FW Monitor files but to make the result more readable you can also add some colorization rules by going to the View menu and choose the Coloring rules option

Add these new rules:


After creation move these rules to the top.

The result (this was a very old file capture on a Nokia):


Regards, Maarten.

Regards, Maarten
Tags (1)
2 Replies

Re: Wireshark modification for FW Monitor files

This is just an excerpt from sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet without referencing the sk and leaving out a lot of details. Also, you may need sk43076: How to work with large traffic capture files !

Re: Wireshark modification for FW Monitor files

Gunther,

I have written and posted this text on CPUG around august 2008, so if there is any referencing to be made it would be the other way around.

But to be frank, the way to view the packets as described above with colorization is not something they show in that SK.

Regards, Maarten