I only see syn packets when I do a capture

**tomarseneault** · 2013-04-26

Hi,

I'm new to checkpoint and fw monitor. I read the "How to use fw monior" pdf from checkpoint and I know how to move around in the ctl chain with -m and -p, save to a file, and I have my Wireshark all setup to show the interface and capture points. But I still have some qestions, first for a VSX firewall if I know the src and dst ip addresses is there any reason to use the -v option? And my main question, what am I doing wrong? I use a cmd line such as "fw monitor -e 'accept host(192.168.1.10);'" but all I see are syn packets comming from the host but I know the connection works, so why can't I capture the whole connection? I know the pdf is out of date but I can't even bring up the help screen ("fw ?" shows there should be a "fw monitor -h" command but when I try it says unknown command "-h"). The firewall is in bridge mode could that be an issue?

I just found out that the Gaia install has tcpdump on it and I figured out the interfaces (I used fw monitor to find the int) and it captures the whole conversation, but where in the chain is it listening?

Thanks in advance for any help.

Tom

**bmolnar** · 2013-04-26

Let me guess, you're running SecureXL? SecureXL always messes with "fw monitor" captures due to the nature of SecureXL acceleration. The only thing you can use to packet captures with SecureXL enabled is tcpdump. I'm not sure where tcpdump sits in the processing chain.

**tomarseneault** · 2013-04-26

Thanks Bmolnar, yes we are running SecureXL. At least that tells me I'm not crazy or completely inept, not completly anyway.

Tom

**jrrodrigo** · 2014-11-18

Hi,

Try desactivate acceleration with "fwaccel off" if there is no high CPU in your system. Tcpdump also will work except in certains scenarios (some internal interfaces in Crossbeam, for instance).

Greetings

JRRR

**ShadowPeak.com** · 2014-11-18

Originally Posted by jrrodrigo

Hi,

Try desactivate acceleration with "fwaccel off" if there is no high CPU in your system. Tcpdump also will work except in certains scenarios (some internal interfaces in Crossbeam, for instance).

Greetings

JRRR

Turning off SecureXL can have a dramatic impact on firewall performance if you are relying on auto-affinity to distribute IRQ processing since when SecureXL is disabled all IRQ processing is slammed onto CPU 0 which will almost certainly not be able to keep up on busier networks and you will pile up RX-DRPs. Some little-known commands allow you to disable SecureXL per interface:

sim if
(to verify ethX interface is accelerated, last digit of F column should be 1 if accelerated)

sim nonaccel -s ethX
(disable acceleration just on interface ethX)

fwaccel off;fwaccel on
(Restart SecureXL to make change take effect - yes SecureXL will be off for an instant but that is far better than leaving it off for the duration of your capture)

sim if
(to verify ethX interface is not accelerated, last digit of F column should be 0 if non-accelerated)

(run capture on ethX)

sim nonaccel -c ethX
(enable acceleration for ethX)

fwaccel off;fwaccel on

sim if
(to verify ethX interface is accelerated once again, last digit of F column should be 1 if accelerated)