Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information. It does contain additional information from the firewall on interface and direction.
To view this additional information in wireshark some extra configuration is required.
- Select edit/preferences/protocols/ethernet
- Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
- Select edit/preferences/User Interface/columns
- Click add to add a new column and name it interface.
- From the format dropdown listbox select FW-1 monitor if/direction and press ok
Save the text below to a file colorise.txt
# DO NOT EDIT THIS FILE! It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@FW-Mon-o@fw1.direction contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]
- Select View/coloring rules
- Click import and open the saved file from above
- Select the last 4 rules and move them to the top of the list by clicking the up button
- Press ok
Your now ready to view the fw monitor files in wireshark.