A quick debugging reference sheet of all usable options for the fw monitor tool.
By default the fw monitor sniffing driver is inserted into the 4 locations on the Firewall kernel chain .
Here they are:
i (
PREIN) – inbound direction before firewall Virtual Machine (
VM, and it is CP terminology) .
Most important fact to know about that is that this packet capturing location shows packets
BEFORE any security rule in the policy is applied. That is, no matter what rules say a packet should at
least be seen here, this would prove that packets actually reach the firewall at all.
I (POSTIN) – inbound direction after firewall VM.
o (PREOUT) – outbound direction before firewall VM,
O (POSTOUT) – outbound direction after firewall VM.
You can change point of insertion within the fw chain with :
#
fw monitor –p<i|I|O|o> <where to insert>
Easiest way to specify where to insert is to first see the chain:
#
fw ctl chain
then give relative to any module you see there <+|->module_name
Now the usage itself:
#
fw monitor
Usage: fw monitor [- u|s] [-i] [-d] [-T] <{-e
expression}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]]
[-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a
]> [-ci count] [-co count]
Round up of options:
-m mask , which point of capture is to be displayed, possible: i,I,o,O
-d/-D debug output from fw monitor itself, not very useful IMO.
-u|s print also connection/session Universal ID
– i after writing each packet flush stdout
-T add timestamp, not interesting
-e expr expression to filter the packets (in detail later)
-f filter_file the same as above but read expression from file
-l <len> packet length to capture
Expressions
On the very low level fw monitor understands byte offsets from the header
start. So to specify for example 20th byte of the IP packet (that is source IP)
you can just use:
# fw monitor -e 'accept [12,b]=8.8.8.8;'
Where:
12 – offset in bytes from the beginning of the packet
b – mandatory, means big endian order.
4 – not seen here but size (in bytes) of how many bytes to look for from the starting offset (default is 4 )
To look for source port 53 (UDP/TCP) in raw packet:
# fw monitor -m i -e 'accept [20:2,b]=53;'
Here I say to fw monitor to look at 2 bytes at offset 20.
While this way of looking at packets is the most general and therefore includes all cases, you rarely have the need for such a granular looking glass. In 99% of the cases you will be doing alright with a limited known set of expressions.
Just for that Checkpoint defined and kindly provided us in every Splat installation with definition files that give meaningful synonyms to the most used patterns. There are few definition files but they circularly reference each other providing multiple synonyms for the same pattern.
I put all those predefined patterns in the list below for the easy to use reference.
Summary table of possible expressions to be fed to the fw
monitor |
Specifying Hosts |
host(IP_address) | to or from this host |
src=IP_address | where source ip = IP_address |
dst=IP_address | where destination ip = IP_address |
net(network_address,netmask) | to or from this network |
to_net(network_address,netmask) | to this network |
from_net(network_address,netmask) | from this network |
|
Specifying ports |
port(port_number) | having this source or destination port |
sport=port_number | having this source port |
dport=port_number | having this destination port |
tcpport(port_number) | having this source or destination port that is also TCP |
udpport(port_number) | having this source or destination port that is also UDP |
|
Specifying protocols | |
ip_p=<protocol_number_as_per_IANA> | this way you can specifiy any known protocol by its registered number in IANAFor detailed list of protocol numbers see www.iana.org/assignments/protocol-numbers |
icmp | what it says , icmp protocol |
tcp | TCP |
udp | UDP |
|
Protocol specific oprions | |
IP |
ip_tos = <value> | TOS field of the IP packet |
ip_len = <length_in_bytes> | Length of the IP packet in bytes |
ip_src/ ip_dst = <IP_address> | Source or destination IP address of the packet |
ip_p =<protocol_number_as_per_IANA> | See above |
ICMP |
echo_reply | ICMP reply packets |
echo_req | Echo requests |
ping | Echo requests and echo replies |
icmp_error | ICMP error messages (Redirect,Unreachables,Time exceeded,Source quench,Parameter problem) |
traceroute | Traceroute as implemented in Unix (UDP packets to high ports) |
tracert | Traceroute as implemented in Windows (ICMP packets , TTL <30) |
icmp_type = <ICMP types as per RFC> | catch packets of certain type |
icmp_code = <ICMP type as per RFC> | catch packets of certain code |
ICMP types and where applicable respective codes:ICMP_ECHOREPLY ICMP_UNREACH ICMP_UNREACH_NET ICMP_UNREACH_HOST ICMP_UNREACH_PROTOCOL ICMP_UNREACH_PORT ICMP_UNREACH_NEEDFRAG ICMP_UNREACH_SRCFAIL ICMP_SOURCEQUENCH ICMP_REDIRECT ICMP_REDIRECT_NET ICMP_REDIRECT_HOST ICMP_REDIRECT_TOSNET ICMP_REDIRECT_TOSHOST ICMP_ECHO ICMP_ROUTERADVERT ICMP_ROUTERSOLICIT ICMP_TIMXCEED ICMP_TIMXCEED_INTRANS ICMP_TIMXCEED_REASS ICMP_PARAMPROB ICMP_TSTAMP ICMP_TSTAMPREPLY ICMP_IREQ ICMP_IREQREPLY ICMP_MASKREQ ICMP_MASKREPLY |
icmp_ip_len = <length> | Length of ICMP packet |
icmp_ip_ttl = <TTL> | TTL of ICMP packet, use with icmp protocol otherwise will catch ANY packet with TTL given |
< cut here—-bunch of other icmp-related fields like ID ,sequence I don’t see any value in bringing here–> |
|
TCP |
syn | SYN flag set |
fin | FIN flag set |
rst | RST flag set |
ack | ACK flag set |
first | first packet (means SYN is set but ACK is not) |
not_first | not first packet (SYN is not set) |
established | established connection (means ACK is set but SYN is not) |
last | last packet in stream (ACK and FIN are set) |
tcpdone | RST or FIN are set |
th_flags – more general way to match the flags inside TCP packets |
th_flags = TH_PUSH | Push flag set |
th_flags = TH_URG | Urgent flag set |
UDP |
uh_ulen = <length_in_bytes> | Length of the UDP header (doesnt include IP header) |
And the last thing to remember before we move to examples – expressions support logical operators and numerical values support relative operators:
and – logical AND
or – logical OR
not – logical NOT
> MORE than
< LESS than
>= MORE than or EQUAL to
<= LESS than or EQUAL to
You can combine logical expressions and influence order by using ()
Below is laundry list of examples to showcase the reference table above.
# fw monitor -m i -e 'accept host(208.44.108.136) ;'
# fw monitor -e 'accept src=216.12.145.20 ;' packets where source ip = 216.12.145.20
# fw monitor -e 'accept src=216.12.145.20 or dst= 216.12.145.20;' packets where source or destination ip = 216.12.145.20
# fw monitor -e 'accept port(25) ;' packets where destination or source port = 25
# fw monitor -e 'accept dport=80 ;' packets where destination port = 80
# fw monitor -e 'accept sport>22 and dport>22 ; ' packets with source and destination ports greater than 22
# fw monitor -e 'accept ip_len = 1477;' packets where their length equals exactly 1477 bytes
# fw monitor -e 'accept icmp_type=ICMP_UNREACH;' ICMP packets of Unreachable type
# fw monitor -e 'accept from_net(216.163.137.68,24);' packets having source IP in the network 216.163.137.0/24
# fw monitor -e 'accept from_net(216.163.137.68,24) and port(25) and dst=8.8.8.8 ;' packets coming from network 216.163.137.0/24 that are destined to the host 8.8.8.8 and hving source or destination port = 25
# fw monitor -m i -x 40,450 -e 'accept port(80);' incoming packets before any rules are applied also
display contents of the packet starting at 40th byte of 450 bytes length
# fw monitor -m i -pi -ipopt_strip -e 'accept host(66.240.206.90);' incoming packets from/to host 66.240.206.90 , insert sniffer before module named ipopt_strip
# fw monitor -D -m i -pi -ipopt_strip -e 'accept host(66.240.206.90);' same as above but add debug info
There is something I didn’t include in the previous post
fw monitor command reference about fw monitor as I think it is rather optional and you can do well without it . I talk about tables in defining filter expressions. INSPECT – proprietary scripting language by the Checkpoint on which filtering expressions are based allows creating tables.
I won’t delve into INSPECT syntax (for today) but will list the following examples you can easily modify to suit your needs.
Legend:
{} – delimit the table
<,> – specify range of values inside (e.g. <22,25> means from 22 up to 25 inclusive)
ifid – interface identifier
#fw monitor -e "bad_ports = static {22,25,443}; accept dport in bad_ports;” packets with destination port bein" equal to 22,25 or 443
#fw monitor -e " bad_ports = static {<22,25>} ; accept dport in bad_ports;" packets with destination ports being equal to 22,23,24 or 25
# fw monitor -e " bad_ports = static {<22,25>,<80,443>} ; accept dport in bad_ports;" packets with destination ports being in ranges 22-25 or 80-443
#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets;" packets originated in range of networks 194.1.0.0 – 194.1.255.255
#fw ctl iflist Here I see what are the index values of each interface card
0 : Internal
1 : External
#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets and ifid=0;" packets originated in range of networks 194.1.0.0 – 194.1.255.255 and captured on interface eth3 only
[Expert@bostestint-fwa:0]# fw ctl chain
in chain (11):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: - 1fffff8 (ffffffff8882d050) (00000001) Stateless verifications (in) (asm)
2: - 1fffff7 (ffffffff8886eb00) (00000001) fw multik misc proto forwarding
3: - 1000000 (ffffffff88911d10) (00000003) SecureXL conn sync (secxl_sync)
4: 0 (ffffffff887ceee0) (00000001) fw VM inbound (fw)
5: 10 (ffffffff887e3690) (00000001) fw accounting inbound (acct)
6: 10000000 (ffffffff88910330) (00000003) SecureXL inbound (secxl)
7: 7f600000 (ffffffff88820bf0) (00000001) fw SCV inbound (scv)
8: 7f730000 (ffffffff88a35fb0) (00000001) passive streaming (in) (pass_str)
9: 7f750000 (ffffffff88c53260) (00000001) TCP streaming (in) (cpas)
10: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (10):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff88c534a0) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff88a35fb0) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8882d050) (00000001) Stateless verifications (out) (asm)
4: - 1ff (ffffffff88e6eb80) (00000001) NAC Packet Outbound (nac_tag)
5: 0 (ffffffff887ceee0) (00000001) fw VM outbound (fw)
6: 10000000 (ffffffff88910330) (00000003) SecureXL outbound (secxl)
7: 7f000000 (ffffffff887e3690) (00000001) fw accounting outbound (acct)
8: 7f700000 (ffffffff88c53690) (00000001) TCP streaming post VM (cpas)
9: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (out) (ipopt_res)
[Expert@bostestint-fwa:0]#
with FW Monitor running
[Expert@bostestint-fwa:0]# fw ctl chain
in chain (13):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -70000000 (ffffffff88804d70) (ffffffff) fwmonitor (i/f side)
2: - 1fffff8 (ffffffff8882d050) (00000001) Stateless verifications (in) (asm)
3: - 1fffff7 (ffffffff8886eb00) (00000001) fw multik misc proto forwarding
4: - 1000000 (ffffffff88911d10) (00000003) SecureXL conn sync (secxl_sync)
5: 0 (ffffffff887ceee0) (00000001) fw VM inbound (fw)
6: 10 (ffffffff887e3690) (00000001) fw accounting inbound (acct)
7: 10000000 (ffffffff88910330) (00000003) SecureXL inbound (secxl)
8: 70000000 (ffffffff88804d70) (ffffffff) fwmonitor (IP side)
9: 7f600000 (ffffffff88820bf0) (00000001) fw SCV inbound (scv)
10: 7f730000 (ffffffff88a35fb0) (00000001) passive streaming (in) (pass_str)
11: 7f750000 (ffffffff88c53260) (00000001) TCP streaming (in) (cpas)
12: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (12):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff88804d70) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff88c534a0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff88a35fb0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8882d050) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff88e6eb80) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff887ceee0) (00000001) fw VM outbound (fw)
7: 10000000 (ffffffff88910330) (00000003) SecureXL outbound (secxl)
8: 70000000 (ffffffff88804d70) (ffffffff) fwmonitor (IP side)
9: 7f000000 (ffffffff887e3690) (00000001) fw accounting outbound (acct)
10: 7f700000 (ffffffff88c53690) (00000001) TCP streaming post VM (cpas)
11: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (out) (ipopt_res)
[Expert@bostestint-fwa:0]#
Inbound
-------
NIC
Wireside Acct/Virtual Reass IP Options Strip (in) (ipopt_strip)
VPN Dec
VPN verify
VM/NAT
Accounting
VPN Policy
FG Policy
IQ Engine
RTM/E2E
TCP/IP
Outbound
-------
TCP/IP
Virtual Reass/Wireside Acct
VM/NAT
VPN Policy
FG Policy
VPN Enc
IQ Engine
Accounting
RTM/E2E
NIC
Reference: http://yurisk.info/2009/12/12/fw-monitor-command-reference/