How can I run a Packet Sniffer on the Firewall?

[roadrunner]

How can I run a Packet Sniffer on the Firewall?
Solaris comes with 'snoop'. IPSO and AIX come with 'tcpdump.' However, all versions of FireWall-1 since 4.0 come with a 'built-in' packet sniffer called 'fw monitor', which can be used to monitor various packets going in and out of the various parts of FireWall-1. It can show you packets as they are entering and leaving various parts of FireWall-1, which is more than a packet sniffer can do.


Earlier versions of FireWall-1 require the 'fwc' feature, which is included in a management console license. This means this feature may not work on your firewall module if it does not also contain a management console, or at least a management console-type license (a temp license has this feature). More recent versions of FireWall-1 (4.1 SP5 and NG) don't have this limitation.

Usage:

fw monitor [-d] [-D] -e inspect-filter -f filter-file [-l len] [-m mask] [-x offset[,len]] [-o file]
There are four "inspection" points as packets pass through FireWall-1. We choose where we want to "see" packets with the -m option:

Before FireWall-1 processes the packet in the inbound direction (i or PREIN)
After FireWall-1 processes packet in the inbound direction (I or POSTIN)
Before FireWall-1 processes the packet in the outbound direction (o or PREOUT)
After FireWall-1 process the packet in the outbound direction (O or POSTOUT)
Since there can be lots of packets, we need some way of determing which packets we are interested in seeing. We do this by means of an INSPECT filter, which can be typed in directly on the command line or via an INSPECT filter file. One of these options (-f or -e) is required. Once you execute this command, FireWall-1 will compile the specified INSPECT script (either on the command line or in a file), load it into the kernel module, and display them in the terminal window or to the output file in snoop format. It will continue to do this until an interrupt signal is sent to the program (Ctrl-C), after which it will unload the filter and exit.

The INSPECT script should return an "accept" in order for packets to be displayed. Any other return code will cause packets not to be displayed. If you want to only catch packets on a certain interface, do not use 'le0@all' (for example), but instead use 'direction=x,ifid=y' where x=0 for inbound, 1 for outbound, and y is an interface number returned by the 'fw ctl iflist' command. Do not use table names that are used by the security policy.

Here is a table of the command line options you can give to 'fw monitor':


Flag Description
-d Turn on debug flag
-D Turn on debug flag
-e Specify an INSPECT program line (multiple -e options
can be used)
-f INSPECT filter name. '-' can be used to specify standard
input. The -f and -e options are mutually exclusive.
-l Specify how many bytes of the packet should be
transferred from the kernel.
-m Specify inspection points mask, any one or more of
i, I, o, O as explained above. This feature only works
on 4.0 SP3 or later.
-o Specify an output file, which can be viewer with the
'snoop' command on Solaris.
-x Perform a hex dump of the received data, starting at
specified offset and printing out 'len' bytes.


Examples

fw monitor -e "[9:1]=6, accept;" -l 100 -m iO -x 20 will display all TCP packets entering and leaving FireWall-1. Up to 80 bytes of TCP header and data will be displayed (assuming no IP Options are used)
fw monitor -e "accept;" -m iI will display all packets entering and exiting FireWall-1 in the inbound direction (i.e. before the OS routes the packet).

fw monitor -e "accept src=1.1.1.1;" will display all packets originating from 1.1.1.1.

fw monitor -e "accept src=1.1.1.1,dport=80;" will display all packets originating from 1.1.1.1 going to port 80.

fw monitor -e "accept ((src=1.1.1.1,dst=2.2.2.2) or (src=2.2.2.2,dst=1.1.1.1));" will display all packets exchanged between 1.1.1.1 and 2.2.2.2
Warnings:

Don't mess with tables used in the security policy or unexpected results will occur, including system crashes. Packets are defragmented as the packets leave FireWall-1 in both the inbound and outbound direction. Anything that causes a fetch, load, or unload of your security policy will cause fw monitor to exit.

There is also a known bug on the IPSO version of FireWall-1 where fw monitor will exit unexpectedly. This will be fixed in the IPSO 3.3 version of 4.1 SP2. In the meantime, you can get around this problem by making sure you filter out OSPF packets with a command like like the following:

fw monitor -e 'accept (ip_p = 89);'

There is a web page that helps you generate INSPECT code for use with fw monitor at http://www.decock.org/ginspect.

In the meantime, Check Point has a PDF for using the commands: http://www.checkpoint.com/techsuppor...or_rev1_01.pdf (NO login required)

-- RobertGraham - 16 Mar 2004


FAQForm
FAQs.Class: TroubleshootingFAQs
FAQs.OS:
FAQs.Version: