The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: How can I run a Packet Sniffer on the Firewall?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Solaris comes with ‘snoop’. IPSO and AIX come with ‘tcpdump.’ However, all versions of FireWall-1 since 4.0 come with a ‘built-in’ packet sniffer called ‘fw monitor’, which can be used to monitor various packets going in and out of the various parts of FireWall-1. It can show you packets as they are entering and leaving various parts of FireWall-1, which is more than a packet sniffer can do.

Earlier versions of FireWall-1 require the ‘fwc’ feature, which is included in a management console license. This means this feature may not work on your firewall module if it does not also contain a management console, or at least a management console-type license (a temp license has this feature). More recent versions of FireWall-1 (4.1 SP5 and NG) don’t have this limitation.

Usage:

fw monitor [-d] [-D] -e inspect-filter -f filter-file [-l len] [-m mask] [-x offset[,len]] [-o file]

There are four “inspection” points as packets pass through FireWall-1. We choose where we want to “see” packets with the -m option:

  • Before FireWall-1 processes the packet in the inbound direction (i or PREIN)
  • After FireWall-1 processes packet in the inbound direction (I or POSTIN)
  • Before FireWall-1 processes the packet in the outbound direction (o or PREOUT)
  • After FireWall-1 process the packet in the outbound direction (O or POSTOUT)

Since there can be lots of packets, we need some way of determing which packets we are interested in seeing. We do this by means of an INSPECT filter, which can be typed in directly on the command line or via an INSPECT filter file. One of these options (-f or -e) is required. Once you execute this command, FireWall-1 will compile the specified INSPECT script (either on the command line or in a file), load it into the kernel module, and display them in the terminal window or to the output file in snoop format. It will continue to do this until an interrupt signal is sent to the program (Ctrl-C), after which it will unload the filter and exit.

The INSPECT script should return an “accept” in order for packets to be displayed. Any other return code will cause packets not to be displayed. If you want to only catch packets on a certain interface, do not use ‘le0@all’ (for example), but instead use ‘direction=x,ifid=y’ where x=0 for inbound, 1 for outbound, and y is an interface number returned by the ‘fw ctl iflist’ command. Do not use table names that are used by the security policy.

Here is a table of the command line options you can give to ‘fw monitor’:

Flag Description
-d Turn on debug flag
-D Turn on debug flag
-e Specify an INSPECT program line (multiple -e options can be used) 
-f INSPECT filter name. '-' can be used to specify standard input. The -f and -e options are mutually exclusive
-l Specify how many bytes of the packet should be transferred from the kernel.
-m Specify inspection points mask, any one or more of i, I, o, O as explained above. This feature only works on 4.0 SP3 or later.
-o Specify an output file, which can be viewer with the 'snoop' command on Solaris.
-x Perform a hex dump of the received data, starting at specified offset and printing out 'len' bytes.

Examples

fw monitor -e "[9:1]=6, accept;" -l 100 -m iO -x 20 will display all TCP packets entering and leaving FireWall-1. Up to 80 bytes of TCP header and data will be displayed (assuming no IP Options are used)

fw monitor -e "accept;" -m iI will display all packets entering and exiting FireWall-1 in the inbound direction (i.e. before the OS routes the packet).

fw monitor -e "accept src=1.1.1.1;" will display all packets originating from 1.1.1.1.

fw monitor -e "accept src=1.1.1.1,dport=80;" will display all packets originating from 1.1.1.1 going to port 80.

fw monitor -e "accept ((src=1.1.1.1,dst=2.2.2.2) or (src=2.2.2.2,dst=1.1.1.1));" will display all packets exchanged between 1.1.1.1 and 2.2.2.2

Warnings

Don’t mess with tables used in the security policy or unexpected results will occur, including system crashes. Packets are defragmented as the packets leave FireWall-1 in both the inbound and outbound direction. Anything that causes a fetch, load, or unload of your security policy will cause fw monitor to exit.

There is also a known bug on the IPSO version of FireWall-1 where fw monitor will exit unexpectedly. This will be fixed in the IPSO 3.3 version of 4.1 SP2. In the meantime, you can get around this problem by making sure you filter out OSPF packets with a command like like the following:

fw monitor -e 'accept (ip_p = 89);'

There is a web page that helps you generate INSPECT code for use with fw monitor at http://www.decock.org/ginspect/

In the meantime, Check Point has a PDF for using the commands (NO login required)

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.