Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maarten_Sjouw
Champion
Champion
Jump to solution

Wireshark modification for FW Monitor files

This is the description of how Check Point used to modify Ethereal and called it CPEthereal, Ethereal has since moved on to become Wireshark.

To customize Wireshark to properly read and interpret FW Monitor files this is the way to do it:
From the Menu Edit choose Preferences, go to protocols Ethernet Select the ‘Attempt to interpret as Firewall-1 monitor file’ option

In the columns add a new column and name it Interface, from the possible fields choose “FW-1 monitor if/direction”

Now you will be able to properly read FW Monitor files but to make the result more readable you can also add some colorization rules by going to the View menu and choose the Coloring rules option

Add these new rules:


After creation move these rules to the top.

The result (this was a very old file capture on a Nokia):


Regards, Maarten.

Regards, Maarten
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

This is just an excerpt from sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet without referencing the sk and leaving out a lot of details. Also, you may need sk43076: How to work with large traffic capture files !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

3 Replies
G_W_Albrecht
Legend Legend
Legend

This is just an excerpt from sk39510: How to configure Wireshark to display Check Point FireWall chains in an FW Monitor packet without referencing the sk and leaving out a lot of details. Also, you may need sk43076: How to work with large traffic capture files !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Maarten_Sjouw
Champion
Champion

Gunther,

I have written and posted this text on CPUG around august 2008, so if there is any referencing to be made it would be the other way around.

But to be frank, the way to view the packets as described above with colorization is not something they show in that SK.

Regards, Maarten
Thomas_Hesse
Participant

You can import a file with the following text

----------------------------------------------------

@FW1-o@fw1.direction contains "o"@[51657,63993,51400][0,0,0]
@FW1-O@fw1.direction contains "O"@[36494,65535,46260][0,0,0]
@FW1-oe@fw1.direction contains "oe"@[0,65535,0][21845,0,65535]
@FW1-OE@fw1.direction contains "OE"@[0,57825,0][21845,0,65535]
@FW1-i@fw1.direction contains "i"@[64764,55255,65535][0,0,0]
@FW1-I@fw1.direction contains "I"@[65535,43690,65535][0,0,0]
@FW1-id@fw1.direction contains "id"@[65535,21845,65535][21845,0,65535]
@FW1-ID@fw1.direction contains "ID"@[65535,0,65535][21845,0,65535]

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events