- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: How to read packet-captured file by fw monitor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to read packet-captured file by fw monitor:R81.20 open server
Hi all,
I am testing how DLP works by FTPing text file containing non-existent organization identity.
The test itself turned out to be successful, apart from the point CP does not produce any alert mail.
I configured it with SmartDashboard to use internal AlmaLinux mail server.
In order to make the problem clear, I firstly tried fw monitor on the CP where DLP is working,
restaging the same scenario.
The console says something, so I read the captured file by cat, only to find it not human-friendly.
That is what I am having trouble with.
The two points I would like to make clear follows;
1. fw monitor file is supposed to be analysed with Wireshark? If so is there any specific procedure to
make it Wireshark-readable?
2. What else do you suggest I should check in this case?
I have only a few month experience of CP and Linux system.
Therefore, your personal experience as well as documentation would much appreciated.
Thanks in advance,
Shuto
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you followed the sk on this topic (referenced in the thread @AkosBakos pointed to): https://support.checkpoint.com/results/sk/sk39510
What precise fw monitor syntax did you use the capture traffic?
Also; what version/JHF since that does matter to a degree.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason that you are experiencing difficulty is that fw monitor writes its raw packet capture output (via -o) in Sun snoop format, whereas tcpdump via -w saves it in pcap format. There is no way I know of to "replay" or make human readable a raw fw monitor capture file from the CLI of Gaia, unless you want to feed it to something like cpmonitor (sk103212) for statistical analysis. pcap captures can be replayed by tcpdump, but tcpdump does not understand snoop format. In the old days on Solaris the snoop command itself could be used to replay these captures, but that command is long gone. Wireshark has to be used now as it can still decode snoop format.
sk39510 and such only talk about how to display the iIoO capture points in Wireshark and adjust the colorization to adapt to the same packet being shown more than once. This is all covered in my Max Capture: Know Your Packets self-guided video course.
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Akos,
Thank you for sharing the link!
I did not know I could modify the configuration of Wireshark like that.
I will try testing it.
Saitoh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
P.S.
I just tried extracting the file, made it .pcap and let Wireshark read it.
Wireshark shows what I expect to see, but it contains no smtp traffic.
Anyway I solve how to read fw monitored file somehow.
(Any comments to this procedure is more than appreciated! I just extracted, renamed, and Wiresharked it. Is that good enough?)
Since it contains no smtp traffic, there are two possible causes:
1. simply misoptioned fw monitor command, resulting in capturing non-related traffics.
2. not configured enough associated with alertmail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you followed the sk on this topic (referenced in the thread @AkosBakos pointed to): https://support.checkpoint.com/results/sk/sk39510
What precise fw monitor syntax did you use the capture traffic?
Also; what version/JHF since that does matter to a degree.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi PhoneBoy,
I actually did not know that I had to make changes to the configuration of Wireshark.
I somehow surmised fw monitor capture should be able to be analysed by Wireshark.
The syntax I used is as follows.
#fw monitor -d -ci 100 -co 100 -F “10.11.1.1,0” -F “10.31.10.110,25” -o /var/log/fwmonitor -w
Also, R81.20 built 631 with Accumulator T76, and T53 installed.
Saitoh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason that you are experiencing difficulty is that fw monitor writes its raw packet capture output (via -o) in Sun snoop format, whereas tcpdump via -w saves it in pcap format. There is no way I know of to "replay" or make human readable a raw fw monitor capture file from the CLI of Gaia, unless you want to feed it to something like cpmonitor (sk103212) for statistical analysis. pcap captures can be replayed by tcpdump, but tcpdump does not understand snoop format. In the old days on Solaris the snoop command itself could be used to replay these captures, but that command is long gone. Wireshark has to be used now as it can still decode snoop format.
sk39510 and such only talk about how to display the iIoO capture points in Wireshark and adjust the colorization to adapt to the same packet being shown more than once. This is all covered in my Max Capture: Know Your Packets self-guided video course.
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tim,
Thanks for the highly detailed explanation!
This helps me a lot as it contains the term I did not get to see. I have learnt new things!
Other community members are also telling me that I can actually analyse fw monitor capture by adjusting Wireshark a little.
So I am going to start that point to make it clear whether I did not see any smtp packet because I misconfigured CP or mis-syntaxed fw monitor.
Saitoh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all that thankfully helped me a lot,
The cause why CP does not produce any alert email is still unclear, and
somehow my test environment is not working as I expect.
Therefore I recreate it, and test alert mail function the other way than DLP.
Even though I was not able to find out the root cause,
your comments are really instructive in light of the format of fw monitor-captured file.
(especially Snoop format is intriguing to me since I have never heard of it!)
Much appreciated to three legends; @AkosBakos , @PhoneBoy , @Timothy_Hall!
Thanks to your advice I successfully open fw monitor capture file by Wireshark and analysed it.
There is was smtp negotiation observed, so perhaps I should check CP config with detail.
Saitoh