This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
Advisor
‎2017-10-20 12:16 AM

WireShark profile for `fw monitor`

I write a Wireshark profile to help you with reading `fw monitor` files.

I wrote a Dutch description on Wireshark Profiles and I guess the screenshots will be sufficient help to get you started for those not savvy in Dutch 😉

The Short English Version:

  1. Create a Dummy personal profile (Name it whatever you like)
  2. In WireShark, Goto Help => Folders and then proceed to your Personal Configuration directory
  3. Put the ZIP file in the Profiles directory and unpack it.
  4. Now you have your own Check Point profile that has coloring rules and some other smart things.

Feel free to mention any smart tricks with Wireshark you use the speed up reading `fw monitor` files.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
CheckPoint.zip
6 Replies
Hugo_vd_Kooij
Advisor
‎2017-10-20 01:02 AM

 WireShark profiles (Translated by Google) 

If some lines don't make sense in English. .... That's what you get from bot translators.

You can always try to learn Dutch 😉

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2017-10-20 01:59 PM

Wow, I see my post from 2008 on CPUG found it's way back again....

Regards, Maarten
PhoneBoy
Admin
Admin
‎2017-10-20 04:37 PM

Been a while since I've seen this.

Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2017-10-22 12:09 AM

cool Smiley Happy

I even more like this one : Hugo's website: PowerShell, AD computers to Check Point objects  -> psCheckPoint Documentation  

0 Kudos
Hugo_vd_Kooij
Advisor
‎2022-07-28 12:46 AM
In response to Ofir_Shikolski

I found that in the PCAP file we loose something. If you run fw monitor on the screens you can see how things are picked up internally.

The first (i) will be part of the performance pack. And then you get a second (i) on the actual core that picks up the packet. On TCP this is only on the SYN packet. But on UDP this happens a lot more. 

It would be cool if fw monitor could be enhanced to put this information into comments if you use pcapng as output format.

Who should we buy strooopwafels to get this into a future version?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top