Fw monitor is a command-line utility that allows you to do packet captures on your fire-wall.This tool is available on all platforms on VPN-1/FireWall-1, which means even those running Windows can utilize it. Fw monitor comes in very handy when troubleshooting particularly tricky firewall problems, like when you can’t figure out why an FTP session is failing or whether NAT is functioning properly. By the end of this section, you should understand how fw monitor works, how to create your own INSPECT filters for use with the command, and how to review the output.The syntax for fw monitor follows, see Table 15.1 for a description of each switch:
Table 15.1 Switches Used with fw monitor
|
Switch |
Description |
 |
A lower level of debugging of the INSPECT filter as it’s loading. |
 |
A higher level of debugging output of the INSPECT filter as it’s loading. |
 |
Specify an INSPECT filter on the command line. |
 |
Load the INSPECT filter from a file. |
 |
Length of the packet to be displayed. |
Table 15.1 Switches Used with fw monitor
|
Switch |
Description |
 |
Mask the inspection points to be captured. You can use any of the inspection points i, I, o, or O as described in Table 15.2. The default, if this switch is not used, is to capture from all. |
 |
Output file where the captured packet data will be logged. You will need to use a network protocol analyzer to view the output of the file. |
 |
Hex dump of IP and protocol information can be displayed with console output only using this switch. |
How It Works
The fw monitor command works by first loading an INSPECT filter, which analyzes and matches packets as they pass through each interface of your firewall both in the inbound and outbound direction. This filter is similar to the one compiled from your Security Policy. If you run the command without any arguments, all packets will be captured and printed to standard output (text printed on the screen), and each packet will be displayed four times, two for each interface and direction. See Figure 15.9 and Table 15.2 for an explanation of inspection points.
Figure 15.9 Interface Direction Inspection Points
Table 15.2 Interface Direction Inspection in fw monitor
|
Inspection Point |
|
|
Description |
|
 |
Before VPN-1/FireWall-1 kernel inspection in the inbound direction |
 |
After VPN-1/FireWall-1 kernel inspection in the inbound direction |
 |
Before VPN-1/FireWall-1 kernel inspection in the outbound direction |
 |
After VPN-1/FireWall-1 kernel inspection in the outbound direction |
Writing INSPECT Filters for fw monitor
If you don’t want to just dump every packet to the terminal, which is the default if you give fw monitor no arguments, you may wish to set up some specific filters for capturing certain traffic. A simple fw monitor filter like this, fw monitor —e "accept;"-o monitor.out will capture every packet, but will save the output to a file. Then you will need some kind of network protocol analyzer that can interpret and read packet capture data, such as snoop or Ethereal. See the following section, "Reviewing the Output," for more information.
The accept action that you specify means only that you want the filter to accept and match on packets as you specify them, it doesn’t mean that you want to see only packets that the firewall has accepted. It’s also important to remember to use the semicolon at the end of the filter, otherwise it won’t load. If you successfully compile an fw monitor filter, you will see the following output (as the last line explains, simply press Ctrl-C when you want to stop capturing packets):
Before we get into some of the other filtering options, let’s discuss how an IP packet header is put together, so you can better understand the syntax used in the examples that follow. Figure 15.10 illustrates an IP packet header, which contains 20 total bytes, and each byte is equal to 8 bits of data. When counting the bytes in the header, we are going to begin with zero; byte zero in the diagram contains the IP version and header length of the packet. If we skip down to byte 9, we get the IP protocol (for example, TCP, UDP, and so on), and byte 12 is where the source IP address begins.
When specifying INSPECT filters with fw monitor, you will be specifying the start byte to determine what you want to capture.The syntax for specifying a specific value is [<offset>:<length>,<order>].The offset specifies the start byte, length specifies the total bytes to read (four bytes is the default), and order specifies either b for big endian or l for little endian or host order (l is the default). For example, if you want to search for all TCP traffic, you could use the command fw monitor -e "accept [9:1,b]=6;" .This expression says that if you start at the ninth byte and read the first byte, then this value should be equal to 6, which is the protocol number for TCP. For a list of protocols and their associated numbers, go to www.iana.org/assignments/protocol-numbers for the most up-to-date information.The most commonly used protocols are ICMP,TCP, and UDP, which are represented by numbers 1, 6, and 17 respectively.
Figure 15.10 IP Packet Header
If you are interested in capturing data to or from a specific IP address, you might use the following syntax:fw monitor -e "accept [12,b]=10.10.10.1 or [16,b]=10.10.10.1;" —o monitor.out. In this example, [12,b] represents the source IP address, which starts in the twelfth byte of an IP packet header (starting from 0, as shown in Figure 15.10). In this case, you do not need to specify the number of bytes to read, as in [12:4,b] since fw monitor will read four bytes by default from the start byte specified. We recommend a filter like this if you are analyzing traffic from a specific source or destination address, say for example FTP is failing to a specific destination.You should choose the FTP server IP address as both the source and destination in this filter, since you want to see the traffic flowing in both directions, and your source IP address may be translated at the firewall, so you may not capture all packets if you choose the FTP client address. Here is a step-by-step example where we are trying to FTP to or from 192.168.0.8:
1. Run fw monitor -e "accept [12,b]=192.168.0.8 or [16,b]=192.168.0.8;".
2. Start the FTP connection from your client and reproduce the problem.
3. When done capturing data, press Ctrl-C on the firewall to end the fw monitor capture.
4. Review the output.
The last example of an fw monitor command filter is one in which you are looking for a specific source or destination port number. Let’s say that you want to capture all HTTP (TCP port 80) traffic—you might write a filter like this:
For more help with the INSPECT language, review the NG CP Reference Guide available online at www.checkpoint.com/support/technical/documents/docs-5.0/ cp_ref_ng_sp0.pdf.
Reviewing the Output
If you use the -o option with fw monitor to save the output to a file, you will need some kind of network protocol analyzer that can interpret and read packet capture data.You can use tools such as snoop or Ethereal. If you don’t use the -o option, the data will be displayed to standard output, and you can redirect the output from the command to a text file. It’s easiest to use Ethereal to view the data since you can easily do searches and configure filters for the output, so we use that in the following examples. Ethereal is a freeware program that you can download at www.ethereal.com.
Note
To use snoop (available on most Solaris systems), use the -i switch to import the file, as in the following examples:
■ Ex. snoop -i monitor.out
■ Ex. snoop -i monitor.cap -V -x14 tcp port ftp or tcp port ftp-data
See Figure 15.11 for an example output of fw monitor in Ethereal. In the top frame, you can view the time elapsed in milliseconds, the source, destination and protocol, and then in the Info field you can see the source and destination port numbers,TCP flags, sequence number, ACK number, window, and length. If you highlight one of the packets, you can get more detailed data in the second frame. Finally, in the third frame, you can determine at which inspection point the packet was captured, for the example in Figure 15.11, you can see i.eth-s4p1c0, which tells you that the packet was caught before VPN-1/FireWall-1 kernel inspection in the inbound direction on eth-s4p1c0.
Figure 15.11 Ethereal Output
You can also use Ethereal to set up filters.You can type in a filter in the window at the bottom, such as ip.addr == 192.168.168.3 or tcp.port == 80, then click Apply, or you can use the Filter button on the bottom of the page to select the filter you are interested in applying. Figure 15.12 illustrates how this is done.
1. Click on Filter.
2. Click on Add Expression….
3. Select a Field name, such as Source or Destination Address.
4. Choose a relation:
5. Finally, enter the IP address you wish to search for in the box provided. When you are done, click Accept.
6. Click OK to apply the filter.
7. Click on Reset when you want to remove the filter.
Figure 15.12 Ethereal Filter
