CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Live capturing of fw monitor in Wireshark

  1. #1
    Join Date
    2007-02-07
    Posts
    161
    Rep Power
    13

    Default Live capturing of fw monitor in Wireshark

    Hi experts,

    instead of capturing fw monitor data to a file with the -o option, I'd like to know if there is a way of directly piping it to Wireshark? (through a SSH tunnel etc.)
    We got it working with tcpdump, but we are explicitly looking for a fw monitor solution.

    Thanks in advance!
    Danny Jung

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,654
    Rep Power
    10

    Default Re: Live capturing of fw monitor in Wireshark

    Quote Originally Posted by danjun View Post
    Hi experts,

    instead of capturing fw monitor data to a file with the -o option, I'd like to know if there is a way of directly piping it to Wireshark? (through a SSH tunnel etc.)
    We got it working with tcpdump, but we are explicitly looking for a fw monitor solution.

    Thanks in advance!
    Danny Jung
    How did you do it with tcpdump?

    Just a guess, you could do a

    source /etc/profile ; fw monitor -e "blah,accept;" -i -o /dev/stdout >& /dev/null

    That would cause fw monitor (in theory, have not tested) to write its binary output to stdout, which assuming your ssh is piping data into wireshark via a pipe should work.

  3. #3
    Join Date
    2011-01-27
    Posts
    3
    Rep Power
    0

    Default Re: Live capturing of fw monitor in Wireshark

    Quote Originally Posted by jflemingeds View Post
    How did you do it with tcpdump?

    Just a guess, you could do a

    source /etc/profile ; fw monitor -e "blah,accept;" -i -o /dev/stdout >& /dev/null

    That would cause fw monitor (in theory, have not tested) to write its binary output to stdout, which assuming your ssh is piping data into wireshark via a pipe should work.
    As it seems GAIA or fw monitor does not like it it when you write to /dev/stdout.
    "monitor: error opening output file /dev/stdout: No such device or address"

  4. #4
    Join Date
    2011-01-27
    Posts
    3
    Rep Power
    0

    Default Re: Live capturing of fw monitor in Wireshark

    It seems the dirty thing is that fwmonitor is sending data to stdout to count the number of packets captures and stderr to send out some other stuff.
    So neither stdout nor stderr is usable for the -o option.

    I haven't (yet) worked out a way to get around this.

    I am thinking along the lines of:
    mkfifo /tmp/fwmon
    exec 9<>/tmp/fwmon
    fw monitor -o /tmp/fwmon ..... 2>&1>/dev/null 9>

    But that is on the list to test next year ;-)

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,654
    Rep Power
    10

    Default Re: Live capturing of fw monitor in Wireshark

    Quote Originally Posted by hvdkooij View Post
    It seems the dirty thing is that fwmonitor is sending data to stdout to count the number of packets captures and stderr to send out some other stuff.
    So neither stdout nor stderr is usable for the -o option.

    I haven't (yet) worked out a way to get around this.

    I am thinking along the lines of:
    mkfifo /tmp/fwmon
    exec 9<>/tmp/fwmon
    fw monitor -o /tmp/fwmon ..... 2>&1>/dev/null 9>

    But that is on the list to test next year ;-)
    yeah, thats why i was trying to see if you could throw away stdout/err but still using /dev/stdout.

    fifo might work. I was going to bring that up but didn't think it through. I was thinking it would need to be a two step process. One ssh to cat the fifo and a 2nd ssh process to start fw monitor to start writing to the fifo.

    Only other gotcha i would say is do a kill with interrupt signal so it simulates a CRLT-C and gives fw monitor a chance to flush out its buffers before exiting.

    Its too bad there isn't a quiet switch. Would be a no brainer then.

Similar Threads

  1. tweaking wireshark to view fw monitor output
    By apache2020 in forum fw monitor, tcpdump and Wireshark
    Replies: 2
    Last Post: 2010-10-30, 16:41
  2. FW Monitor - Wireshark Cap File
    By Dende in forum German
    Replies: 2
    Last Post: 2009-09-25, 09:50
  3. FW Monitor - Create .cap for Wireshark
    By Dende in forum SmartView Tracker
    Replies: 3
    Last Post: 2009-09-23, 09:58
  4. Wireshark modification for FW Monitor files
    By msjouw in forum Off-Topic
    Replies: 1
    Last Post: 2008-10-15, 08:40
  5. SPLAT NGXR61 and capturing PIX syslog events
    By jspeliers in forum Check Point SecurePlatform (SPLAT)
    Replies: 5
    Last Post: 2006-07-06, 11:04

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •