This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
dt7
Contributor
‎2024-02-27 07:23 PM

fw monitor -f vs -F understanding & questions

Dear all,

In order to troubleshoot an issue I need to capture traffic in the following way:

  1. Traffic between hosts A and B & A and C for ICMP only
  2. Traffic between hosts A and B & A and C for all protocols

The reason I want to capture this traffic is because I am troubleshooting a strange issue related to ICMP, but I would like to have a capture of all the protocols as well in case nothing interesting shows up in the ICMP capture and it might be related to something else.

So far I was planning to use -F to achieve this with two captures as follows:

  1. One ICMP capture for both couple of hosts using 4 instances of -F parameter: fw monitor -F "a.a.a.a,0,b.b.b.b,0,1" -F "b.b.b.b,0,a.a.a.a,0,1" -F "a.a.a.a,0,c.c.c.c,0,1" -F "c.c.c.c,0,a.a.a.a,0,1" -o /<file to .cap>
  2. One All protocols capture for both couple of hosts using another 4 instances of -F: fw monitor -F "a.a.a.a,0,b.b.b.b,0,0" -F "b.b.b.b,0,a.a.a.a,0,0" -F "a.a.a.a,0,c.c.c.c,0,0" -F "c.c.c.c,0,a.a.a.a,0,0" -o /<file to .cap>

However, I was wondering if I could manage to achieve that within only one capture instead of two, since only one fw monitor can run and I would like to ideally reduce the number of captures needed as much as possible based on my environment constrains.  For that, I was looking if I could use -f with an INSPECT file instead.

Is it possible to both capture ICMP only and all protocols traffic using one -f inspect file? I believe not but I if somebody could help validate that. In addition, from what I understand using -e or -f it does not apply to accelerated traffic, in that case would it be more recommended for me to just use -F since I can't disable acceleration in my case for the capture?

I also seem to have another strange problem when testing my filters using -f with a file, when I put my filters in the file and load it with -f it does not seem to work (it captures all traffic), but if I use the same filter in a -e expression, it works as expected.

For exemple, if I put the below in a file and load it via fw monitor -f <path to file>

#include "fwmonitor.def"

ip_p=1, ((src=a.a.a.a , dst=b.b.b.b) or (src=b.b.b.b , dst=a.a.a.a) or (src=a.a.a.a , dst=c.c.c.c) or (src=c.c.c.c , dst=a.a.a.a)), accept;

(I tried with accept at the beginning or end of the line, same results).

It does not seem to work and all captures is shown. But if I do fw monitor -e "accept ip_p=1, ((src=a.a.a.a , dst=b.b.b.b) or (src=b.b.b.b , dst=a.a.a.a) or (src=a.a.a.a , dst=c.c.c.c) or (src=c.c.c.c , dst=a.a.a.a));"

Lastly, when using -F, the last parameter (protocol number) when set to 0, captures all traffic. But when using ip_p=0 it does not seem to do so, I guess to achieve the same and capture all protocols when using -e or -f you just don't specify a protocol.

Apologies if some of the questions seem basic but I have not played with fw monitor a lot so I am trying to get a better understanding of it and apply to my situation to be more efficient.

Thank you for reading me.

 

 

(1)
Who rated this post