Known limitation. Quoted from above:
Attention! *Work in progress*
SuperTool will be further improved to support:
- full -F syntax (currently just filters all traffic)
The -F syntax isn't too tough to come up with on your own (-F srcIP,srcPort,dstIP,dstPort,IPProto), but just keep in mind some points mentioned in my Max Capture series:
- Up to five -F expressions can be utilized with one invocation of fw monitor -F, and the multiple expressions will be ORed together, not ANDed.
- Be very careful not to make a syntax error in your -F expression as doing so will give you an unfiltered capture without warning (essentially 0,0,0,0,0) which could impact the performance of the firewall. Note that wildcards such as "*" and "?" (and even things like "/24") are NOT supported and will be silently treated as a syntax error.
- A single -F tuple will only show you traffic in one direction (either the c2s or s2c flow), so the equivalent syntax for "host 1.2.3.4" is: fw monitor -F 1.2.3.4,0,0,0,0 -F 0,0,1.2.3.4,0,0
- Watch out for NATted traffic which can cause packets to "disappear" between certain inspection points after a NAT operation. Suppose a packet sourced from 192.168.1.50 on our inside network is connecting to Internet IP address 129.82.102.32 on TCP port 443. The source network 192.168.1.0/24 is Hide NATted behind address 63.55.55.1. To match and view the traffic of this connection in both directions, while also taking into consideration the pre-NAT and post-NAT addresses, our fw monitor -F filter would be the following (all on one line):
fw monitor -F 192.168.1.50,0,129.82.102.32,443,6 -F 63.55.55.1,0,129.82.102.32,443,6 -F 129.82.102.32,443,63.55.55.1,0,6 -F 129.82.102.32,443,192.168.1.50,0,6
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
.png "Wolfgang"){kind=avatar}
