The Moose and Squirrel Files

August 27, 2009

Viewing Checkpoint fw monitor files in Wireshark

Filed under: checkpoint — Tags: , — networknerd @ 11:48 am

Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information.  It does contain additional information from the firewall on interface and direction.

To view this additional information in wireshark some extra configuration is required.

  1. Select edit/preferences/protocols/ethernet
  2. Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
  3. Select edit/preferences/User Interface/columns
  4. Click add to add a new column and name it interface.
  5. From the format dropdown listbox select FW-1 monitor if/direction and press ok

Save the text below to a file colorise.txt

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@FW-Mon-o@fw1.direction contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]

  1. Select View/coloring rules
  2. Click import and open the saved file from above
  3. Select the last 4 rules and move them to the top of the list by clicking the up button
  4. Press ok

Your now ready to view the fw monitor files in wireshark.

References

Wireshark modification for FW Monitor files

About these ads

1 Comment »


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Shocking Blue Green Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: