This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
saitoh
Participant
Thursday
Jump to solution

How to read packet-captured file by fw monitor:R81.20 open server

Hi all,

 

I am testing how DLP works by FTPing text file containing non-existent organization identity.

The test itself turned out to be successful, apart from the point CP does not produce any alert mail.

I configured it with SmartDashboard to use internal AlmaLinux mail server.

 

In order to make the problem clear, I firstly tried fw monitor on the CP where DLP is working,

restaging the same scenario.

The console says something, so I read the captured file by cat, only to find it not human-friendly.

 

That is what I am having trouble with.

The two points I would like to make clear follows;

1. fw monitor file is supposed to be analysed with Wireshark? If so is there any specific procedure to

make it Wireshark-readable?

2. What else do you suggest I should check  in this case?

 

I have only a few month experience of CP and Linux system.

Therefore, your personal experience as well as documentation would much appreciated.

 

Thanks in advance,

Shuto

sliver bullet: casting repero or tossing it into the harbor
Preview file
56 KB
0 Kudos
3 Solutions

Accepted Solutions
AkosBakos
Advisor
Friday
Jump to solution

Hi @saitoh 

Here is a discussion about this:

https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/td-p/...

Check it!

Akos

----------------
\m/_(>_<)_\m/

View solution in original post

0 Kudos
(1)
PhoneBoy
Admin
Admin
Friday
In response to saitoh
Jump to solution

I assume you followed the sk on this topic (referenced in the thread @AkosBakos pointed to): https://support.checkpoint.com/results/sk/sk39510

What precise fw monitor syntax did you use the capture traffic?
Also; what version/JHF since that does matter to a degree.

View solution in original post

0 Kudos
(1)
Timothy_Hall
Legend Legend
Legend
Friday
In response to saitoh
Jump to solution

The reason that you are experiencing difficulty is that fw monitor writes its raw packet capture output (via -o) in Sun snoop format, whereas tcpdump via -w saves it in pcap format.  There is no way I know of to "replay" or make human readable a raw fw monitor capture file from the CLI of Gaia, unless you want to feed it to something like cpmonitor (sk103212) for statistical analysis.  pcap captures can be replayed by tcpdump, but tcpdump does not understand snoop format.  In the old days on Solaris the snoop command itself could be used to replay these captures, but that command is long gone.  Wireshark has to be used now as it can still decode snoop format.

sk39510 and such only talk about how to display the iIoO capture points in Wireshark and adjust the colorization to adapt to the same packet being shown more than once.  This is all covered in my Max Capture: Know Your Packets self-guided video course.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
(1)
8 Replies
AkosBakos
Advisor
Friday
Jump to solution

Hi @saitoh 

Here is a discussion about this:

https://community.checkpoint.com/t5/General-Topics/Wireshark-modification-for-FW-Monitor-files/td-p/...

Check it!

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
(1)
saitoh
Participant
yesterday
In response to AkosBakos
Jump to solution

Hi Akos,

 

Thank you for sharing the link!

I did not know I could modify the configuration of Wireshark like that.

I will try testing it.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
saitoh
Participant
Friday
Jump to solution

P.S.

I just tried extracting the file, made it .pcap and let Wireshark read it.

Wireshark shows what I expect to see, but it contains no smtp traffic.

 

Anyway I solve how to read fw monitored file somehow.

(Any comments to this procedure is more than appreciated! I just extracted, renamed, and Wiresharked it. Is that good enough?)

Since it contains no smtp traffic, there are two possible causes:

1. simply misoptioned fw monitor command, resulting in capturing non-related traffics.

2. not configured enough associated with alertmail

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
PhoneBoy
Admin
Admin
Friday
In response to saitoh
Jump to solution

I assume you followed the sk on this topic (referenced in the thread @AkosBakos pointed to): https://support.checkpoint.com/results/sk/sk39510

What precise fw monitor syntax did you use the capture traffic?
Also; what version/JHF since that does matter to a degree.

0 Kudos
(1)
saitoh
Participant
yesterday
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

 

I actually did not know that I had to make changes to the configuration of Wireshark.

I somehow surmised fw monitor capture should be able to be analysed by Wireshark.

 

The syntax I used is as follows.

#fw monitor -d -ci 100 -co 100 -F “10.11.1.1,0” -F “10.31.10.110,25” -o /var/log/fwmonitor -w

 

Also, R81.20 built 631 with Accumulator T76, and T53 installed.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
Timothy_Hall
Legend Legend
Legend
Friday
In response to saitoh
Jump to solution

The reason that you are experiencing difficulty is that fw monitor writes its raw packet capture output (via -o) in Sun snoop format, whereas tcpdump via -w saves it in pcap format.  There is no way I know of to "replay" or make human readable a raw fw monitor capture file from the CLI of Gaia, unless you want to feed it to something like cpmonitor (sk103212) for statistical analysis.  pcap captures can be replayed by tcpdump, but tcpdump does not understand snoop format.  In the old days on Solaris the snoop command itself could be used to replay these captures, but that command is long gone.  Wireshark has to be used now as it can still decode snoop format.

sk39510 and such only talk about how to display the iIoO capture points in Wireshark and adjust the colorization to adapt to the same packet being shown more than once.  This is all covered in my Max Capture: Know Your Packets self-guided video course.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
(1)
saitoh
Participant
yesterday
In response to Timothy_Hall
Jump to solution

Hi Tim,

 

Thanks for the highly detailed explanation!

This helps me a lot as it contains the term I did not get to see. I have learnt new things!

 

Other community members are also telling me that I can actually analyse fw monitor capture by adjusting Wireshark a little.

So I am going to start that point to make it clear whether I did not see any smtp packet because I misconfigured CP or mis-syntaxed fw monitor.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
saitoh
Participant
4 hours ago
In response to saitoh
Jump to solution

Dear all that thankfully helped me a lot,

 

The cause why CP does not produce any alert email is still unclear, and

somehow my test environment is not working as I expect.

Therefore I recreate it, and test alert mail function the other way than DLP.

 

Even though I was not able to find out the root cause,

your comments are really instructive in light of the format of fw monitor-captured file.

(especially Snoop format is intriguing to me since I have never heard of it!)

 

Much appreciated to three legends; @AkosBakos , @PhoneBoy , @Timothy_Hall!

Thanks to your advice I successfully open fw monitor capture file by Wireshark and analysed it.

There is was smtp negotiation observed, so perhaps I should check CP config with detail.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events