Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor

WireShark profile for `fw monitor`

I write a Wireshark profile to help you with reading `fw monitor` files.

I wrote a Dutch description on Wireshark Profiles and I guess the screenshots will be sufficient help to get you started for those not savvy in Dutch 😉

The Short English Version:

  1. Create a Dummy personal profile (Name it whatever you like)
  2. In WireShark, Goto Help => Folders and then proceed to your Personal Configuration directory
  3. Put the ZIP file in the Profiles directory and unpack it.
  4. Now you have your own Check Point profile that has coloring rules and some other smart things.

Feel free to mention any smart tricks with Wireshark you use the speed up reading `fw monitor` files.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
6 Replies
Hugo_vd_Kooij
Advisor

 WireShark profiles (Translated by Google) 

If some lines don't make sense in English. .... That's what you get from bot translators.

You can always try to learn Dutch 😉

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Maarten_Sjouw
Champion
Champion

Wow, I see my post from 2008 on CPUG found it's way back again....

Regards, Maarten
PhoneBoy
Admin
Admin

Been a while since I've seen this.

Ofir_Shikolski
Employee Alumnus
Employee Alumnus

0 Kudos
Hugo_vd_Kooij
Advisor

I found that in the PCAP file we loose something. If you run fw monitor on the screens you can see how things are picked up internally.

The first (i) will be part of the performance pack. And then you get a second (i) on the actual core that picks up the packet. On TCP this is only on the SYN packet. But on UDP this happens a lot more. 

It would be cool if fw monitor could be enhanced to put this information into comments if you use pcapng as output format.

Who should we buy strooopwafels to get this into a future version?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events