The Moose and Squirrel Files

August 26, 2009

Making Checkpoint’s FW Monitor more like Tcpdump

Filed under: checkpoint — Tags: — networknerd @ 10:51 pm

Every checkpoint firewall, regardless of platform, includes the packet capture utility fw monitor. The problem with fw monitor is the cryptic inspect syntax that you need to learn to create a capture filter. Unfortunately, if your looking for support from checkpoint then your stuck with fw monitor. To simplify the process I have created a couple of macros that help bridge the gap between the two syntaxes.

When capturing with tcpdump I generally use the host and port commands to reduce the traffic to a particular set of conversations between hosts. An example expression, in tcp dump syntax, to capture all dns traffic either udp or tcp between 192.168.1.1 and 192.168.1.12 is shown below.

"host 192.168.1.1 and 192.168.1.12 and port 53"

After creating a few simple inspect macros we can do the equivalent  using fw monitor with

accept host(192.168.1.1) and host(192.168.1.12) and port(53);

This is not a bad approximation. The only differences are  brackets needed to pass the parameters to the macro, and a repeat of the host command.

The savings are obvious compared to the complete  inspect script syntax shown below.

accept (
(ip_src=192.168.1.1 or ip_src=192.168.1.12) and \
(ip_dst=192.168.1.1 or ip_dst=192.168.1.12) \
) and \
(
(ip_p=PROTO_tcp and (th_sport=53 or th_dport=53)) or \
(ip_p=PROTO_udp and (uh_sport=53 or uh_dport=53)) \
);

 The macros can be saved in a separate library file and included in a filter file or you can just include all the macros in one large command file with the filter expression as shown below.


#include "tcpip.def"
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#define port(portnum) ((ip_p=PROTO_tcp and (sport=portnum or dport=portnum)) or \
(ip_p=PROTO_udp and (uh_sport=portnum or uh_dport=portnum)))
#define srcport(portnum) ((ip_p=PROTO_tcp and sport=portnum) or \
(ip_p=PROTO_udp and uh_sport=portnum))
#define dstport(portnum) ((ip_p=PROTO_tcp and dport=portnum) or \
(ip_p=PROTO_udp and uh_dport=portnum))
#define host(hostip) ((src=hostip) or (dst=hostip))

/* dns traffic between hosts */
accept host(192.168.1.1) and host(192.168.1.12) and port(53);

Once saved to a file, say myfilter.def,  it is a simple matter of running

fw monitor -i -f myfilter.def

and generating, or waiting for the traffic you need to capture.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: