Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
796570686578
Contributor

R80.40, fw monitor -F not capturing HTTP/Get & OK ?

Hello everyone,

I am currently trying to get a better understanding on how "fw monitor" works and how to use it. For that, I am currently comparing output from R80.10 and R80.40(take_67) in my Lab.

I am capturing http traffic from Host A to Webserver B . My topology looks like this:

Webserver B ---- FW R80.10  ---- FW R80.40 ---- Host A

Webserver B IP: 192.168.1.100

Host A: 172.16.10.150 - NAT to 67.83.0.1(FW R80.40)

I am capturing the traffic from Host A to Webserver B in both directions on both Gateways.

On R80.10 I disabled SecureXL to capture accelerated packets aswell and on R80.40 I am using the -F flag to capture accelerated and non accelerated traffic.

It works to a certain point, but I am running into an issue which I haven't found a solution for  so far.

I can see the 3-way handshake in both captures, on R80.10 I see the HTTP/Get & OK but on R80.40 it is not beeing captured...

These are the filters I am using:

R80.10:

fwaccell off

fw monitor -e "accept (src=67.83.0.1 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1);" -o fwmonR8010AccCap.pcap

 

R80.40:

fw monitor -F "172.16.10.150,0,192.168.1.100,80" -F "192.168.1.100,80,67.83.0.1,0" -o fwmonR8040AccCap.pcap
 
Can you tell me what I am doing wrong or missing here?
Thank you very much!!
 
greeting,
con

 

0 Kudos
Reply
8 Replies
PhoneBoy
Admin
Admin

Pretty sure you use the same syntax that you used in R80.10 on R80.40.
However, will admit the SK isn’t that clear on this.

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Reply
796570686578
Contributor

Hey  PhoneBoy,

thanks for your help! Unfortunately, this didn't show different results.

I have used the equivalent syntax on R80.40 as I did on R80.10 and still didn't capture the HTTP messages. I also disabled SecureXL beforehand on R80.40.

When using the -e Flag on R80.40 it actually says in the output: 

*** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter ***

I was able to start the capture but again only saw 3-Way HS & PSH,ACKs on R80.40 while on R80.10 I was able to capture the http packets.

 

I also read the SK, thanks for sharing it. What I gathered from it, is, that since R80.40, Accelerated Traffic will be captured by default and the "-F" flag can be used for that.

  • In R80.40, Default behavior will be to monitor all traffic.
  • Since R80.20 Jumbo take 73, using the "-e" flag will not filter accelerated traffic (all accelerated traffic will be monitored). To Filter accelerated traffic use the "-F" flag (exists from Jumbo take 73)
  • Since R80.20 Jumbo take 117, using the "-e" flag will filter out all accelerated traffic. To filter and monitor Accelerated traffic use "-F" (exists from Jumbo take 73)


From the R80.40 Admin Guide: 
"-F" - Specifies the capture filter (for both accelerated and non-accelerated traffic)

 

The more I read about it, the more I am convinced that it is not working as intended or I am doing some major mistakes..

Summary of capture Filters I have used so far on R80.40:

  • fw monitor
    • -F "172.16.10.150,0,192.168.1.100,80" -F "192.168.1.100,80,67.83.0.1,0"
    • -F "0,0,0,0,0" <- Capture everything
    • -F "172.16.10.150,0,192.168.1.100,0" -F "192.168.1.100,0,67.83.0.1,0" <- Capture all traffic between 2 hosts
    • -e "accept (src=172.16.10.150 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1) or (src=67.83.0.1 and dst=192.168.1.100);"
    • -e "accept;" <- Capture everything

I really like the idea of capturing accelerated traffic without the need to disable SecureXL on the whole system. I will test this with other protocols aswell and report back my findings 🙂

 

 

 

 

 

0 Kudos
Reply
_Val_
Admin
Admin

I suspect even after disabling SecureXL, traffic is being accelerated: sk162492. In essense, you cannot disable SXL in R8020 and above completely. 

What to do to make sure no accelerated traffic is passing?

  • Disable acceleration on both cluster members
  • Fail over
  • Run traces on the new active member
0 Kudos
Reply
796570686578
Contributor

Good Morning Val!

Sorry, I might not have expressed my issue correctly. It's not that accelerated traffic isn't passing, it works fine. The issue is, that I am not able to capture it (No HTTP/Get & OK packets) with the -F filter. So I just tested it with the -e Flag as PhoneBoy suggested.

I will do a Fail over later and report back!

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

You can replace -e "accept (src=172.16.10.150 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1) (src=67.83.0.1 and dst=192.168.1.100);" with this:

-e "accept (host(192.168.1.100) AND host(172.16.10.150)) OR (host(192.168.1.100) AND host(67.83.0.1))

Regards, Maarten
0 Kudos
Reply
796570686578
Contributor

Hey Maarten,

thanks for that. Great way to simplify it and much easier to read! Thanks alot 🙂

 

0 Kudos
Reply
Václav_Brožík
Contributor

You can replace -e "accept (host(192.168.1.100) AND host(172.16.10.150)) OR (host(192.168.1.100) AND host(67.83.0.1));" with this:

-e "accept host(192.168.1.100) and (host(172.16.10.150) or host(67.83.0.1));"

796570686578
Contributor

I found the issue...😅

I had to use the "-w" flag aswell in order to capture the GET & OK packets. I tried it with ftp aswell and when not using the "-w" flag, these packets are not captured. Weird hmmm..

so syntax would be: fw monitor -w -F etc.

But at least it works now 🙂 

-w

When using -o/ -x flag, there is an option to print whole raw data of packet.

Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.

 

Thanks for your help!