@PhoneBoy  @_Val_ 
Hello chaps, 🙂
Looking for some authoritative clarification please.

Cheers,

Don

Open an informative SR# with CP TAC !

🙂

I prefer to keep it here in Check Mates. Nice and lively. 😉

It's not actually hex, but it works similarly. There's only one character for that field. It goes 0 through 9, a through z. I'm not sure what happens if you have more than 34 kernel extensions (z would be after extension 34 or before 35). It might go to A through Z. Lowercase r would be before extension 27.

Thanks. 

Interesting that you call them extensions.

I think of them as kernel chain modules.

1. In the SK the -a switch is described and mentions the positions, implying that the numbers are relevant but not in special CP hex format. 

That might need a review for clarification. 

Is it documented anywhere that they are labeled by single character and the system/method?

https://support.checkpoint.com/results/sk/sk30583

Let's just say I'm intimately familiar with network kernels.

The first character in fw monitor's position data is coarse with just the four possible values. The second character gives you the exact number in the chain for finer positional information. I'm not really sure why this is represented as an ASCII character rather than as a raw byte. As features are enabled and disabled, extensions are attached to and detached from the network kernel, so the number of a given module can change.

I had to look it up, and the proper term for base 36 is actually "hexatrigesimal".

Yes, I confirmed with R&D that this is exactly what's happening.
When you use the -a switch, instead of the more familiar letters, you'll get chain position in hexatrigesimal format (base 36).
We'll get the SK updated.

@PhoneBoy to the rescue, as always! By the way, Im still laughing about this...so today, had a call with TAC for some weird routing issue and I bet guy was brand new to TAC (though he was pretty good), but he called you Paperboy when I mentioned your nickname about some other community post.

Paperboy, haha...though you have always been know as Phoneboy, so we will stick with that : - )

Andy

I've been called many things by many people. 😉

This is what I think of when I hear the name Paperboy:

Good one lol. 

I had that game!

If anyone on this planet can give you right answer to this, its probably @Timothy_Hall . I would look in his book which I have, but too busy now lol

Andy

In this case, and probably most others it is likely to be the hexatrigesimal system in the Kernel design.
I am not running QoS in this scenario.
Thanks @Bob_Zimmerman 

https://trustconverter.com/en/base-number-conversion/hexatrigesimal/hexatrigesimal-to-decimal.html

It's pretty easy to see the base-36 counting in a -p all capture taken on a lab firewall. I just did it on one of mine and I got i0 (sxl_state_check), i3 (sxl_lookup), i9 (ipopt_strip), ia (asm), ib (fw multik misc proto forwarding), ic (fw), Id (scv), Ie (offload_in), If (post_vm), Ig (pass_str), Ih (cpas), Ii (ipopt_res), Ij on the inbound leg. j (19) is after the last inbound extension. All the other capture points are at the input to the extension.

Then on the outbound, I have o0 (ipopt_strip), o1 (cpas), o2 (pass_str), o3 (asm), o4 (fw), O5 (post_vm), O6 (cpas), O7 (ipopt_res), Od. My outbound chain has 12 extensions, so d (13) is the capture point after the last one.

[Expert@DallasSA]# fw ctl chain
in chain (19):
	0: -7fffffff (0000000000000000) (00000000) SecureXL stateless check (sxl_state_check)
	1: -7ffffffe (0000000000000000) (00000000) SecureXL VPN before decryption (vpn_in_before_decrypt)
	2: -7ffffffd (0000000000000000) (00000000) SecureXL VPN after decryption (vpn_in_after_decrypt)
	3:         6 (0000000000000000) (00000000) SecureXL lookup (sxl_lookup)
	4:         7 (0000000000000000) (00000000) SecureXL QOS inbound (sxl_qos_inbound)
	5:         8 (0000000000000000) (00000000) SecureXL inbound (sxl_inbound)
	6:         9 (0000000000000000) (00000000) SecureXL medium path streaming (sxl_medium_path_streaming)
	7:        10 (0000000000000000) (00000000) SecureXL inline path streaming (sxl_inline_path_streaming)
	8:        11 (0000000000000000) (00000000) SecureXL Routing (sxl_routing)
	9: -7f800000 (ffffffff931903f0) (ffffffff) IP Options Strip (in) (ipopt_strip)
	10: - 1fffff8 (ffffffff9318dc40) (00000001) Stateless verifications (in) (asm)
	11: - 1fffff7 (ffffffff93121720) (00000001) fw multik misc proto forwarding
	12:         0 (ffffffff93d58910) (00000001) fw VM inbound  (fw)
	13:         2 (ffffffff93195900) (00000001) fw SCV inbound (scv)
	14:         5 (ffffffff92eb4880) (00000003) fw offload inbound (offload_in)
	15:        20 (ffffffff93d5c0f0) (00000001) fw post VM inbound  (post_vm)
	16:  7f730000 (ffffffff93224740) (00000001) passive streaming (in) (pass_str)
	17:  7f750000 (ffffffff93aaa0c0) (00000001) TCP streaming (in) (cpas)
	18:  7f800000 (ffffffff93190380) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (13):
	0: -7f800000 (ffffffff931903f0) (ffffffff) IP Options Strip (out) (ipopt_strip)
	1: - 1fffff0 (ffffffff93aa74d0) (00000001) TCP streaming (out) (cpas)
	2: - 1ffff50 (ffffffff93224740) (00000001) passive streaming (out) (pass_str)
	3: - 1f00000 (ffffffff9318dc40) (00000001) Stateless verifications (out) (asm)
	4:         0 (ffffffff93d58910) (00000001) fw VM outbound (fw)
	5:        10 (ffffffff93d5c0f0) (00000001) fw post VM outbound  (post_vm)
	6:  7f700000 (ffffffff93aa79c0) (00000001) TCP streaming post VM (cpas)
	7:  7f800000 (ffffffff93190380) (ffffffff) IP Options Restore (out) (ipopt_res)
	8:  7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_outbound)
	9:  7fa00000 (0000000000000000) (00000000) SecureXL QOS outbound (sxl_qos_outbound)
	10:  7fb00000 (0000000000000000) (00000000) SecureXL VPN before encryption (vpn_in_before_encrypt)
	11:  7fc00000 (0000000000000000) (00000000) SecureXL VPN after encryption (vpn_in_after_encrypt)
	12:  7fd00000 (0000000000000000) (00000000) SecureXL Deliver (sxl_deliver)

Admittedly, my firewall is R81.10, but R81.20 is not fundamentally different in this regard. I also haven't ever actually seen letters higher than r, so I'm speculating it goes to z. Seems like reasonable speculation to me, though.

The "fwmonitor (i/f side)" being down at 12 in Don's chain is related to why fw monitors now go i-i-I-o-O with an extra little-i. When you run one to the terminal instead of to a file, you can see the first little-i is in ppak_#. I think the number is a dispatcher thread ID, but I haven't looked into it in depth. The second little-i and all the other points are in fw_#, and the # is a CoreXL worker thread ID.

An fw monitor -p all in my terminal showing a SYN to the firewall and SYN-ACK response from the firewall:

[vs_0][ppak_0] eth1:i0 (SecureXL stateless check)[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][ppak_0] eth1:i3 (SecureXL lookup)[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:i9 (IP Options Strip (in))[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:i10 (Stateless verifications (in))[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:i11 (fw multik misc proto forwarding)[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:i12 (fw VM inbound )[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:I13 (fw SCV inbound)[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:I14 (fw offload inbound)[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:I15 (fw post VM inbound )[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:I16 (passive streaming (in))[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:I17 (TCP streaming (in))[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:I18 (IP Options Restore (in))[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:I19 (Chain End)[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 62915 -> 443 .S.... seq=fb68e894 ack=00000000
[vs_0][fw_1] eth1:o0 (IP Options Strip (out))[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895
[vs_0][fw_1] eth1:o1 (TCP streaming (out))[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895
[vs_0][fw_1] eth1:o2 (passive streaming (out))[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895
[vs_0][fw_1] eth1:o3 (Stateless verifications (out))[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895
[vs_0][fw_1] eth1:o4 (fw VM outbound)[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895
[vs_0][fw_1] eth1:O5 (fw post VM outbound )[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895
[vs_0][fw_1] eth1:O6 (TCP streaming post VM)[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895
[vs_0][fw_1] eth1:O7 (IP Options Restore (out))[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895
[vs_0][fw_1] eth1:O13 (Chain End)[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 62915 .S..A. seq=54fb4a48 ack=fb68e895

And an fw monitor without -p all showing the a similar SYN and SYN-ACK:

[vs_0][ppak_0] eth1:i[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 63155 -> 443 .S.... seq=7ef1758f ack=00000000
[vs_0][fw_1] eth1:i[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 63155 -> 443 .S.... seq=7ef1758f ack=00000000
[vs_0][fw_1] eth1:I[64]: 10.0.3.26 -> 10.0.1.253 (TCP) len=64 id=0
TCP: 63155 -> 443 .S.... seq=7ef1758f ack=00000000
[vs_0][fw_1] eth1:o[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 63155 .S..A. seq=b9e77874 ack=7ef17590
[vs_0][fw_1] eth1:O[60]: 10.0.1.253 -> 10.0.3.26 (TCP) len=60 id=0
TCP: 443 -> 63155 .S..A. seq=b9e77874 ack=7ef17590

Note that the capture without the -p all with output to the terminal doesn't show the detailed position indicator. If you capture to a file, it does record the detailed position. In my case, I get i3, ia, Ih, o1, O7.

Hi guys (@Don_Paterson, @Bob_Zimmerman)

A tip from me!

At the moment, the Wireshark plugin actually has a bug and displays the chain modules after 9 as ASCII.

--------

"fw monitor" is actually a debug command that can be used to analyse the packet flow in SecureXL and the Firewall kernel. What Check Point doesn't tell you in the manuals is, that this is actually a kernel debug.
You could also analyse this with the following commands and get much more info here:

For example with "fw ctl zdebug". Filters can be set as with fw monitor:
# fw ctl zdebug + fw conn -e "accept(host(8.8.8.8));"

Or if the debug buffer of 1MB is not enough, you can do a debug:

Session 1# fw ctl debug -m fw conn -e "accept(host(8.8.8.8));"
Session 1# fw ctl kdebug -f -T > /var/log/test.txt

Session 2# tail -f /var/log/test.txt

Here you can see all the real inspection points (ppak,i,I,o,O,...) and even more information about the connections.

For example, if you would like to have information about the NAT, you can do the following:

# fw ctl zdebug + fw conn xlate xltrc nat  -e "accept(host(8.8.8.8));"

Because "fw monitor", "fw ctl debug" and "fw ctl zdebug" are kernel debugs, you should always be a little careful from a performance point of view and don't forget to disable the debug if necessary;-). "fw ctl zdebug" and "fw monitor" automatically disable the debug.

If it is a bug, it's not one in Wireshark. Take a look at an fw monitor file with xxd and you can clearly see the position encoded as two bytes with ASCII character values:

[Expert@DallasSA]# xxd pAll.snoop 
0000000: 736e 6f6f 7000 0000 0000 0002 0000 0004  snoop...........
0000010: 0000 004e 0000 004e 0000 0068 0000 0000  ...N...N...h....
0000020: 6535 2794 0008 c5ef 6930 6574 6831 0000  e5'.....i0eth1..
0000030: 3030 6630 0800 4500 0040 0000 4000 3f06  00f0..E..@..@.?.
0000040: 22a2 0a00 031a 0a00 01fd c229 01bb 34a5  "..........)..4.
0000050: 1a05 0000 0000 b002 ffff 1328 0000 0204  ...........(....
0000060: 2300 0103 0306 0101 080a 295f b183 0000  #.........)_....
0000070: 0000 0402 0000 0000 0000 004e 0000 004e  ...........N...N
0000080: 0000 0068 0000 0000 6535 2794 0008 c5fa  ...h....e5'.....
0000090: 6933 6574 6831 0000 3030 6630 0800 4500  i3eth1..00f0..E.
00000a0: 0040 0000 4000 3f06 22a2 0a00 031a 0a00  .@..@.?.".......
00000b0: 01fd c229 01bb 34a5 1a05 0000 0000 b002  ...)..4.........
00000c0: ffff 1328 0000 0204 2300 0103 0306 0101  ...(....#.......
00000d0: 080a 295f b183 0000 0000 0402 0000 0000  ..)_............
00000e0: 0000 004e 0000 004e 0000 0068 0000 0000  ...N...N...h....
00000f0: 6535 2794 0008 c6a4 6939 6574 6831 0000  e5'.....i9eth1..
0000100: 3030 6630 0800 4500 0040 0000 4000 3f06  00f0..E..@..@.?.
0000110: 22a2 0a00 031a 0a00 01fd c229 01bb 34a5  "..........)..4.
0000120: 1a05 0000 0000 b002 ffff 1328 0000 0204  ...........(....
0000130: 2300 0103 0306 0101 080a 295f b183 0000  #.........)_....
0000140: 0000 0402 0000 0000 0000 004e 0000 004e  ...........N...N
0000150: 0000 0068 0000 0000 6535 2794 0008 c6a9  ...h....e5'.....
0000160: 6961 6574 6831 0000 3030 6630 0800 4500  iaeth1..00f0..E.

Offset 0x28:2: 0x6930

Offset 0x90:2: 0x6933

Offset 0xf8:2: 0x6939

Offset 0x160:2: 0x6961

In ASCII, 0x30 to 0x39 are digits 0 through 9, 0x41 through 0x5a are uppercase A through Z, and 0x61 through 0x7a are lowercase a through z. You can see this without consulting an ASCII table in the ASCII decode of the raw bytes on the right. If the second byte wasn't meant to be interpreted as ASCII, why use ASCII values, including the big discontinuity from 0x39 to 0x61?

IP addresses are represented as raw values, as you can see as offset 0x32:8. 0x0a00031a decoded as a dotted decimal IP address corresponds to 10.0.3.26, which is my client. 0x0a0001fd corresponds to 10.0.1.253, which is this standalone's address.

@Bob_Zimmerman absolutely right. The ASCII letters are inserted here. 

30 =  0 ...  33 = 3  ...  39 = 9 ... 61 = a

There are only two possibilities to replace the ASCII values:

1) In "fw monitor" by using INT numbers
    0,1,2,3,...,10,11,...

2) Convert the ASCII letters into numbers in Wireshark plugin.
    (30 =0     31 = 1   ...     61 = 10      62 = 11  ...
    Of course, this is not clean programming but it would work.

But I think it's something for the TAC.

Thanks Heiko,

I think there is a missing -m (before fw) in the first example and in the NAT example command and the command format is not valid, not in R81.20 anyway.

fw monitor is hard for me to understand/see as a kernel debug but at the same time the Inspect filters are inserted into the Kernel chain, so...
Also, it seems like the term debug can be used to describe packets captures in general.

I looked for changes in the output of 'fw ctl debug' while running your recommended commands.
That was to see if there was a change in module debug options.
I did not see any.
That is not to say that it is not a Kernel debug. I just wanted to see if there were changes in Kernel debug options when fw monitor was running. I had never seen any or looked for them before.

I did all the testing on R81.20 Build 703.
As Tim identified, I am using the standard ATC lab, and that is because it is a nice common reference and the easiest environment for me to access quickly and test 🙂
I switched all blades off except for fw, ia and mntr. Policy is any any any accept.

Regarding your recommended command:
fw ctl debug -m fw conn -e "accept(host(8.8.8.8));"

The command is not valid and does not work for me.
This one does:
fw ctl debug -e "accept(host(8.8.8.8));" -m fw + conn

-m is probably not needed because of zdebug mostly focusing on Kernel Module fw (unless the 'all' option is used).

Further filtering is probably also good for the example command, e.g.:
fw ctl debug -e "accept(host(8.8.8.8) and host(192.168.10.55));" -m fw + conn
or
fw ctl debug -e "accept(host(8.8.8.8) and port(80));" -m fw + conn

That could help to avoid excessive debug output for more ports and sources and destinations than required.

Maybe this is a better and more modern approach:
fw ctl zdebug -F "10.1.1.201,0,192.168.12.101,80,0" -m fw + conn

It sets up all the filters and then interpreting this stuff is not needed:
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...

That is all shown in a nice table output in the first lines of output after running the command.
In the -e examples it does not show filters used.

The output may be double or triple the number of lines (2x or 3x more than an fw monitor output for traffic in only one direction).
It contains a lot of interesting information but maybe too much for just packet monitoring/viewing.
The performance impact looks to be more than double that of a fw monitor.

Otherwise, this is purely about packets and is less output for a simple connection establishment:
fw monitor -F "10.1.1.201,0,192.168.12.101,80,0"
or
fw monitor -F "10.1.1.201,0,192.168.12.101,80,0" -F "192.168.12.101,80,10.1.1.201,0,0"

And that takes us back to all the chain position letters in the output. 🙂

Still have to digest all of the recent replies from Friday and the weekend.

Thanks everyone!

Let's see if I can contact the wireshark coder for this. There were some improvements in the parser in Wireshark after I shared some relevant notes with the coder in the past. That was about parsing information from CPHA packets.This thread and the updated SK30583 will help. I am not the best coder but I can explain stuff 😉