Alw@ys Knw Wh@ts Happening inside your KERNEL - “A CHEAT SHEET”

FW MONITOR - Monitor your KERNEL..


Many People have problems with their daily life, is just bcoz they dont know what is/was happening INSIDE, I could never trouble shoot the KERNEL of Mine, but definitely did in my Favorite Product CheckPoint..

Yes.. Always monitor the each points (don't simply believe ALL IZZZ WELL..) Nothing gonna be Well untill and unless you have the control on each point of the Process..

Here we go,, FW Monitor,

Why fw monitor?

The fw monitor utility is similar to ‘snoop’ and ‘tcpdump’ in being able to capture and display packet information. Unlike snoop or tcpdump, fw monitor is always available on FW-1, can show all interfaces at once and can have insertion points between different Check Point modules. The fw monitor commands are the same on every platform.

Fw monitor syntax:

There are many options for the fw monitor command and these can be seen by typing fw monitor –h on the command line;

fw monitor -h

Usage: fw monitor [- u|s] [-i] [-d] <{-e expr}+|-f > [-l len] [-m mask] [-x offset[,len]] [-o ] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a ]> [-ci count] [-co count]

Each option is fully explained in the Check Point document How to use fw monitor.

Brief option description:

-u|s, is used to show the uuid which is the same number during the entire connection
-i, is used to make sure that all info is written to standard output immediately
-d|D, is used to put fw monitor in debug or more Debug modes
-e, is used for the user defined expressions
-f, for the filter file
-l, is used to limit the packet length captured
-m, is a mask of interface such as the default mask of iIoO
-x, prints the packet data to the screen
-o, output file
-p[x] pos, is used to set the insertion point of the monitor
-p all, places insertion points between each module
-ci count, is used to break out of fw monitor after incoming packets
-co count, is used to break out of fw monitor after outgoing packets

Reading the output:

El59x1:i[48]: -> (TCP) len=48 id=944

TCP: 1034 -> 21 .S.... seq=78caaa74 ack=00000000

Filter expressions:

A great reference for filter expressions is the tcpip.def file located at $FWDIR/lib.
In this document we will just describe a few and how they work.
#define ip_tos [ 1 : 1]
#define ip_len [ 2 : 2, b]
#define ip_id [ 4 : 2, b]
#define ip_off [ 6 : 2, b]
#define ip_ttl [ 8 : 1]
#define ip_p [ 9 : 1]
#define ip_sum [ 10 : 2, b]
#define ip_src [ 12 , b]
#define ip_dst [ 16 , b]
#define PROTO_icmp 1
#define PROTO_icmp6 58
#define PROTO_tcp 6
#define PROTO_udp 17

This sample of the tcpip.def file shows how the macros used in the firewall are defined.
For example ip_src is [ 12, b]. This means that at offset 12 bytes data is read in big endian to gain the source ip address.

ip_len is defined as [ 2 :2, b]. This means that at offset 2 bytes, a 2 byte length is read in big endian to determine the ip length field.

These expressions can be used in an fw monitor command to filter on whatever is needed.
For example to capture packets to and from one ip address of interest we could use,
fw monitor –e “accept [12, b]= or [16, b]=;”
OR you could use the macro definition
fw monitor –e “accept src= or dst=;”

Using the macro definitions is usually easier to remember.

In this doc we will use the macros in the tcpip.def file.

Syntax Examples (cheat sheet);
Basic capture of everything on all interfaces,
fw monitor

To filter on an ip of interest,

-e “accept src=;”
This will show just source address matching src.

-e “accept src= or dst=;”
This will show both source and destination matching src or dst and is an example of the Or operator in use.

To filter on a particular protocol of interest,

-e “accept ip_p=6;”
This will show TCP packets only.

-e “accept ip_p=17;”
This will show UDP packets only.

-e “accept ip_p=6 or ip_p=50;”
This will show TCP and ESP protocols

Making a slightly more complex expression we will use ip address and protocol type as an example.
-e “accept ip_p=6 and src=;”
This is an example of the And operator in use. If we used ping to test the fw monitor would not show these packets, but if we used ftp to connect to then all packets with a source of would be shown.

To filter on an packet length

-e “accept ip_len=60;”
This will show all packets with the IP header and Data length of 60 bytes.
A standard Windows ping is 60 bytes total. This is found by adding the IP header of 20 bytes to the 8 bytes ICMP header and 32 bytes of ICMP data.

If we were trying to filter only packets larger or smaller than a certain size we could use;
-e “accept ip_len>512;”
This will show ip packets larger than 512 bytes.
-e “accept ip_len <512;”
This will show packets smaller than 512 bytes.
-e “accept ip_len > 60 and ip_len<70;”
This will show packets between 61 and 69 bytes long.

Note that ip_len is defined as the IP header and Data.

To filter on a source port or destination port

-e “accept sport=21;”
This will show packets from port 21.
-e “accept dport=21;”
This will show destination port 21
-e “accept sport=21 or dport=21;”
This will show source or destination port 21.

Note; that the definitions for sport, th_sport, and uh_sport are all the same [20: 2, b]. The same is true for dport, th_dport and uh_dport [22: 2, b]. This means a filter as set above will show port 21 even if it is a UDP port. If you wanted to filter only TCP ports you would have to add expressions.
-e “accept ip_p=6 and sport=21 or dport=21;”
This would show port 21 and only TCP.

To filter on a port and an IP address

-e “accept sport=21 or dport=21 and src= or dst=;”

To filter flags or TCP states

The th_flags macro can be used in different ways and can get confusing so here is a brief explanation. The definitions below show how the macros for the flags are defined. In the syntax we can use the hexadecimals listed in this manner.
TH_FIN 0x1
TH_SYN 0x2
TH_RST 0x4
TH_ACK 0x10
TH_URG 0x20
-e “accept th_flags=0x1;”
will only see packets that have only the FIN flag set. If any other flag is set also it will not show up.
-e “accept th_flags=0x11;”
This will show packets with FIN and ACK flags set.
As you can see the hex numbers can be added together to reflect the flags you want.
OR we can use the following syntax;
-e “accept th_flags & 0x1;”
This will show packets with the FIN flag set even if other flags are set. This expression basically says look for flags AND if FIN is set show it.
-e “accept th_flags = fin;”
This will show packets with a FIN flag set even if other flags are set since fin is already defined as seen below in this sample of the tcpip.def file. Any of the below can be used.

syn { th_flags & TH_SYN };
fin { th_flags & TH_FIN };
rst { th_flags & TH_RST };
ack { th_flags & TH_ACK };
first { th_flags & TH_SYN, not (th_flags & TH_ACK) };
established { (th_flags & TH_ACK) or ((th_flags & TH_SYN) = 0) };
not_first { not ( th_flags & TH_SYN ) };
last { th_flags & TH_FIN, th_flags & TH_ACK };
tcpdone { fin or rst };

To filter on ICMP types

-e “accept icmp_type=8;”
This will show echo requests.
-e “accept icmp_type=0;”
This will show echo replies.
See the tcpip.def file to see the icmp_type definitions. Here are a couple of examples,
8= echo
0= echo reply
3= unreachable
5= redirect
11= ttl exceeded

To set the mask on filter

-m io
Will show pre-in and pre-out packets
-m IO
Will show post-in and post-out packets
The mask defaults to iIoO and shows all four inspection points. It can be set with the –m option to be whatever you want.

To set the packet capture count

-ci 3
Will show 3 incoming packets and the break out.
-m i –ci 4
Will show 4 incoming packets on the pre-in interface.

To print the packet payload use the –x option

-x 52, 96
This example would show packet data starting at offset 52 and printing 96 bytes to the screen. Output to a file gives all data any way so this is usually not needed.
The offset starts with the IP header. i.e. offset of 40 would give the start of data offset of 55 bytes in an http packet. 20 bytes ip header, 20 bytes tcp header.

To set the monitor position in the fw chain

-pi 3 –po 2
These are relative positions in the fw chain. The chain can be seen by typing fw ctl chain on the command line.

To change the insertion point you can use the relative position ie 1,2,3 etc.
Or you can use the alias such as secxl_sync. All details to usage and syntax can be found in How to use fw monitor.

Default insertion points

In using the relative number use the number after the module where you want it inserted, in other words if relative number 2 is Secxl_sync and you want to insert after this module then use –pi 3. If you use –pi 3 it is inserted after relative number 2. If using the alias then use the alias after where you want it installed. In other words, if you use –pi Secxl_sync then the position will be inserted before Secxl_sync. See Figure below.

NG AI has a new position option –p all which inserts at each point in the chain.

To filter packets that are part of a network or a range of ip addresses

-e “accept netof src=;”
This will show all packets with an address on network
A mask can not be set, it is implied by the address. So if you have subnetted further you will need a different syntax to capture a range of addresses.
-e “internal = {<,>}; accept ( in internal);”
This will show all packets in the internal definition.

Putting it together with more complex expressions;
-e “accept not (src=;”
To see all but src above.
-e “accept sport=21 and not (src=;”
To see source port 21 but not from

-e “accept src= or dst= and not (sport=22 or dport=22);”
To see everything to and from ip except ssh.

-e “accept src= or dst= and not (sport=21 or dport=21) and not (sport=22 or dport=22);”
To show all to an from ip except ssh and ftp.

-ci 200 –m iI –pi Secxl_sync –e “accept ip_p=6 and netof src= and not (sport=22 or dport=22);”
This will show 200 incoming packets before breaking out, with a mask of iI showing both pre-in and post-in with the monitor insertion point being before the Secxl_sync module in the chain. In addition it will only show TCP packets that have an ip address that is part of network but not the ssh protocol.

This may be more complex than is reasonable but it shows what can be done with fw monitor.

I hope this is explanatory.. Pls write to me in case of quries.. :-)


0 Responses to "Alw@ys Knw Wh@ts Happening inside your KERNEL - “A CHEAT SHEET”"

Post a Comment

Search This Blog

Blog Archive

Total Pageviews