Fw monitor

From cpwiki.net
Revision as of 15:49, 7 July 2013 by Nighthawk (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Check Point Profressional Services

4 chain, all bidirectional traffic between 2 hosts

fw monitor -m iIoO -e "accept src=192.168.1.1 and dst=10.0.0.1; accept src=10.0.0.1 and dst=192.168.0.1;" 

capture icmp packets only from host x

fw monitor -m iIoO -e "ip_p=1,host(192.168.1.1), accept;"


Usual Capture

Capture everything, save the data into the file:

[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap

Capture everything between host X and host Y:

[Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap

Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:

[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap

Capture everything to/from host X or to/from host Y or to/from host Z:

[Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) or (accept (src=y.y.y.y or dst=y.y.y.y)) or (accept (src=z.z.z.z or dst=z.z.z.z)));" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(=y.y.y.y) or host(=z.z.z.z), accept;" -o /var/log/fw_mon.cap


Port Specific Capture

Capture everything to/from port X:

[Expert@HostName]# fw monitor -e "accept (sport=x or dport=x);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap

Capture everything except port X:

[Expert@HostName]# fw monitor -e "accept not (sport=x or dport=x);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap

Capture everything except SSH:

[Expert@HostName]# fw monitor -e "accept not (sport=22 or dport=22);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap

Capture everything to/from host X except SSH:

[Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) and (accept not (sport=22 or dport=22)));" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap


Protocol Specific Capture

Note: Protocol number in the syntax has to be provided in Decimal format. Refer to '/etc/protocols' file on the machine, or to 'www.iana.org/assignments/protocol-numbers/'

Capture everything on protocol X:

[Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap

Everything on protocol X and port Z on protocol Y:

[Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap

Capture everything TCP between host X and host Y:

[Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(=y.y.y.y), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "accept [9:1]=9 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"
[Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap


Bytes Specific Capture

Simple checks are used to check for a value at a specific offset in the packet:

[Expert@HostName]# fw monitor -e "accept [ offset : length , order ] relational-operator value;" 

Field Explanation offset specifies the offset relative to the beginning of the IP packet from where the value should be read. length specifies the number of bytes and can be 1 (byte), 2 (word), or 4 (dword). If length is not specified, 'FW Monitor' assumes 4 (dword). order specifies the byte order. Possible values are b (big endian), or l (little endian, or host order). If order is not specified, 'FW Monitor' assumes little endian byte order. relational-operator is a relational operator to express the relation between the packet data and the value: < less than > greater than <= less than or equal to >= greater than = or is equal to != or is not not equal to value is one of the data types known to INSPECT (e.g., an IP address, or an integer).


The IP-based protocols are stored in the IP packet as a byte at offset 9: 

To filter based on a Protocol encapsulated into IP, use "accept [9:1]=Protocol_Number_in_Decimal_format;" syntax

The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address): 

To filter based on a Source IP address, use "accept [12:4,b]=IP_Address_in_Doted_Decimal_format;" syntax To filter based on a Destination IP address, use "accept [16:4,b]=IP_Address_in_Doted_Decimal_format;" syntax

The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port): 

To filter based on a Source port, use "accept [20:2,b]=Port_Number_in_Decimal_format;" syntax To filter based on a Destination port, use "accept [22:2,b]=Port_Number_in_Decimal_format;" syntax


Capture everything between host X and host Y:

[Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));" Capture everything on port X:
[Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap


Network Specific Capture

Capture everything on network 192.168.33.0/24:

[Expert@HostName]# fw monitor -e "net={<192.168.33.0,192.168.33.255>}; dst in net, accept;"


Examples

Capture ESP protocol or UDP port 161 (SNMP):

[Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP):

[Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs):

[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &

Capture Edge communication on UDP ports 9281, 9282, 9283:

[Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap