Difference between revisions of "Fw monitor"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(Pushed from Themanclub.)
 
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
 
'''4 chain, all bidirectional traffic between 2 hosts'''
 
'''4 chain, all bidirectional traffic between 2 hosts'''
 
  fw monitor -m iIoO -e "accept src=192.168.1.1 and dst=10.0.0.1; accept src=10.0.0.1 and dst=192.168.0.1;"  
 
  fw monitor -m iIoO -e "accept src=192.168.1.1 and dst=10.0.0.1; accept src=10.0.0.1 and dst=192.168.0.1;"  
 +
'''capture icmp packets only from host x'''
 +
fw monitor -m iIoO -e "ip_p=1,host(192.168.1.1), accept;"
  
 +
 +
 +
Usual Capture
 +
 +
Capture everything, save the data into the file:
 +
[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap
 +
 +
Capture everything between host X and host Y:
 +
[Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
 +
[Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
 +
 +
Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:
 +
[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap
 +
 +
Capture everything to/from host X or to/from host Y or to/from host Z:
 +
[Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) or (accept (src=y.y.y.y or dst=y.y.y.y)) or (accept (src=z.z.z.z or dst=z.z.z.z)));" -o /var/log/fw_mon.cap
 +
[Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(=y.y.y.y) or host(=z.z.z.z), accept;" -o /var/log/fw_mon.cap
 +
 +
 +
Port Specific Capture
 +
 +
Capture everything to/from port X:
 +
[Expert@HostName]# fw monitor -e "accept (sport=x or dport=x);" -o /var/log/fw_mon.cap
 +
[Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap
 +
 +
Capture everything except port X:
 +
[Expert@HostName]# fw monitor -e "accept not (sport=x or dport=x);" -o /var/log/fw_mon.cap
 +
[Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap
 +
 +
Capture everything except SSH:
 +
[Expert@HostName]# fw monitor -e "accept not (sport=22 or dport=22);" -o /var/log/fw_mon.cap
 +
[Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap
 +
 +
Capture everything to/from host X except SSH:
 +
[Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) and (accept not (sport=22 or dport=22)));" -o /var/log/fw_mon.cap
 +
[Expert@HostName]# fw monitor -e "((host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap
 +
 +
 +
Protocol Specific Capture
 +
 +
Note: Protocol number in the syntax has to be provided in Decimal format. Refer to '/etc/protocols' file on the machine, or to 'www.iana.org/assignments/protocol-numbers/'
 +
 +
Capture everything on protocol X:
 +
[Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap
 +
 +
Everything on protocol X and port Z on protocol Y:
 +
[Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap
 +
 +
Capture everything TCP between host X and host Y:
 +
[Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(=y.y.y.y), accept;" -o /var/log/fw_mon.cap
 +
[Expert@HostName]# fw monitor -e "accept [9:1]=9 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"
 +
[Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
 +
 +
 +
Bytes Specific Capture
 +
 +
Simple checks are used to check for a value at a specific offset in the packet:
 +
 +
[Expert@HostName]# fw monitor -e "accept [ offset : length , order ] relational-operator value;"
 +
Field Explanation
 +
offset specifies the offset relative to the beginning of the IP packet from where the value should be read.
 +
length specifies the number of bytes and can be 1 (byte), 2 (word), or 4 (dword). If length is not specified, 'FW Monitor' assumes 4 (dword).
 +
order specifies the byte order. Possible values are b (big endian), or l (little endian, or host order). If order is not specified, 'FW Monitor' assumes little endian byte order.
 +
relational-operator is a relational operator to express the relation between the packet data and the value:
 +
<  less than
 +
>  greater than
 +
<=  less than or equal to
 +
>=  greater than
 +
= or is  equal to
 +
!= or is not  not equal to
 +
value is one of the data types known to INSPECT (e.g., an IP address, or an integer).
 +
 +
 +
 +
The IP-based protocols are stored in the IP packet as a byte at offset 9:
 +
To filter based on a Protocol encapsulated into IP, use "accept [9:1]=Protocol_Number_in_Decimal_format;" syntax
 +
The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address):
 +
To filter based on a Source IP address, use "accept [12:4,b]=IP_Address_in_Doted_Decimal_format;" syntax
 +
To filter based on a Destination IP address, use "accept [16:4,b]=IP_Address_in_Doted_Decimal_format;" syntax
 +
The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port):
 +
To filter based on a Source port, use "accept [20:2,b]=Port_Number_in_Decimal_format;" syntax
 +
To filter based on a Destination port, use "accept [22:2,b]=Port_Number_in_Decimal_format;" syntax
 +
 +
 +
 +
Capture everything between host X and host Y:
 +
[Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));" Capture everything on port X:
 +
[Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap
 +
 +
 +
Network Specific Capture
 +
 +
Capture everything on network 192.168.33.0/24:
 +
[Expert@HostName]# fw monitor -e "net={<192.168.33.0,192.168.33.255>}; dst in net, accept;"
 +
 +
 +
Examples
 +
 +
Capture ESP protocol or UDP port 161 (SNMP):
 +
[Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
 +
 +
Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP):
 +
[Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
 +
 +
Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs):
 +
[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
 +
 +
Capture Edge communication on UDP ports 9281, 9282, 9283:
 +
[Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap
  
 
[[category:check point]]
 
[[category:check point]]

Latest revision as of 15:49, 7 July 2013

4 chain, all bidirectional traffic between 2 hosts 

fw monitor -m iIoO -e "accept src=192.168.1.1 and dst=10.0.0.1; accept src=10.0.0.1 and dst=192.168.0.1;"

capture icmp packets only from host x 

fw monitor -m iIoO -e "ip_p=1,host(192.168.1.1), accept;"


Usual Capture

Capture everything, save the data into the file: 

[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap

Capture everything between host X and host Y: 

[Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap

Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains: 

[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap

Capture everything to/from host X or to/from host Y or to/from host Z: 

[Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) or (accept (src=y.y.y.y or dst=y.y.y.y)) or (accept (src=z.z.z.z or dst=z.z.z.z)));" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(=y.y.y.y) or host(=z.z.z.z), accept;" -o /var/log/fw_mon.cap


Port Specific Capture

Capture everything to/from port X: 

[Expert@HostName]# fw monitor -e "accept (sport=x or dport=x);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap

Capture everything except port X: 

[Expert@HostName]# fw monitor -e "accept not (sport=x or dport=x);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap

Capture everything except SSH: 

[Expert@HostName]# fw monitor -e "accept not (sport=22 or dport=22);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap

Capture everything to/from host X except SSH: 

[Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) and (accept not (sport=22 or dport=22)));" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap


Protocol Specific Capture

Note: Protocol number in the syntax has to be provided in Decimal format. Refer to '/etc/protocols' file on the machine, or to 'www.iana.org/assignments/protocol-numbers/'

Capture everything on protocol X: 

[Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap

Everything on protocol X and port Z on protocol Y: 

[Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap

Capture everything TCP between host X and host Y: 

[Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(=y.y.y.y), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "accept [9:1]=9 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"
[Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap


Bytes Specific Capture

Simple checks are used to check for a value at a specific offset in the packet: 

[Expert@HostName]# fw monitor -e "accept [ offset : length , order ] relational-operator value;"

Field Explanation offset specifies the offset relative to the beginning of the IP packet from where the value should be read. length specifies the number of bytes and can be 1 (byte), 2 (word), or 4 (dword). If length is not specified, 'FW Monitor' assumes 4 (dword). order specifies the byte order. Possible values are b (big endian), or l (little endian, or host order). If order is not specified, 'FW Monitor' assumes little endian byte order. relational-operator is a relational operator to express the relation between the packet data and the value: < less than > greater than <= less than or equal to >= greater than = or is equal to != or is not not equal to value is one of the data types known to INSPECT (e.g., an IP address, or an integer). 


The IP-based protocols are stored in the IP packet as a byte at offset 9:

To filter based on a Protocol encapsulated into IP, use "accept [9:1]=Protocol_Number_in_Decimal_format;" syntax 

The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address):

To filter based on a Source IP address, use "accept [12:4,b]=IP_Address_in_Doted_Decimal_format;" syntax To filter based on a Destination IP address, use "accept [16:4,b]=IP_Address_in_Doted_Decimal_format;" syntax 

The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port):

To filter based on a Source port, use "accept [20:2,b]=Port_Number_in_Decimal_format;" syntax To filter based on a Destination port, use "accept [22:2,b]=Port_Number_in_Decimal_format;" syntax


Capture everything between host X and host Y: 

[Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));" Capture everything on port X:
[Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap


Network Specific Capture

Capture everything on network 192.168.33.0/24: 

[Expert@HostName]# fw monitor -e "net={<192.168.33.0,192.168.33.255>}; dst in net, accept;"


Examples

Capture ESP protocol or UDP port 161 (SNMP): 

[Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP): 

[Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs): 

[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

Capture Edge communication on UDP ports 9281, 9282, 9283: 

[Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap
Retrieved from "http://www.cpwiki.net/index.php?title=Fw_monitor&oldid=161"