CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 13 of 13

Thread: help to understand fw monitor syntax.

  1. #1
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default help to understand fw monitor syntax.

    Hi Guys,

    Sorry for stupid question, but can somebody explain me why fw monitor command:

    fw monitor -e 'accept [12:4,b]=10.28.64.161;' would match all packets coming from IP 10.28.64.161,

    but

    fw monitor -e 'accept [12:2,b]=10.28;' will not match all packets coming from network 10.28.0.0/16 ?

    Logically, it should work, isnít it: we start look at 12-th byte (source IP), for next 2 bytes, and value of these 2 bytes should be equal to 10.28. Still, it does not work.

    Thank you !


    P.S. I know i can use fw monitor -e 'accept from_net(10.28.0.0,16);', but I want to understand why above filter does not work.

    Thank you !

  2. #2
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: help to understand fw monitor syntax.

    Quote Originally Posted by fkbr1 View Post
    I know i can use fw monitor -e 'accept from_net(10.28.0.0,16);', but I want to understand why above filter does not work.
    Why over complicate things? Not only that, but the syntax you are using is totally UNfamiliar to Checkpint TAC, and you'll only confuse THEM if you need their help. Personally, I would strongly urge you to stick with the familiar and known.... Just my 2c...

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: help to understand fw monitor syntax.

    Quote Originally Posted by fkbr1 View Post
    Hi Guys,

    Sorry for stupid question, but can somebody explain me why fw monitor command:

    fw monitor -e 'accept [12:4,b]=10.28.64.161;' would match all packets coming from IP 10.28.64.161,

    but

    fw monitor -e 'accept [12:2,b]=10.28;' will not match all packets coming from network 10.28.0.0/16 ?

    Logically, it should work, isn’t it: we start look at 12-th byte (source IP), for next 2 bytes, and value of these 2 bytes should be equal to 10.28. Still, it does not work.

    Thank you !


    P.S. I know i can use fw monitor -e 'accept from_net(10.28.0.0,16);', but I want to understand why above filter does not work.

    Thank you !
    I agree this is basically making things harder then they need to be.

    That out of they way.. did you try passing a full IP address? I understand you're only doing a 2 byte compare and thus trying to do a 2 byte IP, but we really don't know how a 2 byte IP is being converted into a network endian word (yeah, thats right i went there!). Maybe the conversion is silently failing which causes you to get invalid data.

    Of course i expect you'll say, i already tried that and it didn't work. :D
    Last edited by jflemingeds; 2016-05-19 at 13:31. Reason: word up

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: help to understand fw monitor syntax.

    BTW for extra credit.. try passing the base 10 value of the 2 byte ip instead of dotted octals.

  5. #5
    Join Date
    2012-07-19
    Posts
    108
    Rep Power
    8

    Default Re: help to understand fw monitor syntax.

    Quote Originally Posted by fkbr1 View Post
    fw monitor -e 'accept [12:2,b]=10.28;' will not match all packets coming from network 10.28.0.0/16 ?

    Logically, it should work, isnít it: we start look at 12-th byte (source IP), for next 2 bytes, and value of these 2 bytes should be equal to 10.28. Still, it does not work.
    That expression should't even compile (while your example does compile, try other values).

    Code:
    [Expert@cpmodule02:0]# fw monitor -e 'accept [12:2,b]=111.222;'
     monitor: getting filter (from command line)
     monitor: compiling
    monitorfilter:
    "/opt/CPsuite-R77/fw1/tmp/monitorfilter.pf", line 2: ERROR: bad ip address <111.222>
    Compilation Failed.
     monitor: filter compilation failed /opt/CPsuite-R77/fw1/tmp/monitorfilter
    Values in expressions can be hex int, oct int, int or IP addresses. "10.28" is neither of those.

    Quote Originally Posted by jflemingeds View Post
    BTW for extra credit.. try passing the base 10 value of the 2 byte ip instead of dotted octals.
    That's spot on and should work.

    Code:
    [Expert@cpmodule02:0]# expr 111 \* 256 + 222
    28638
    [Expert@cpmodule02:0]# fw monitor -e 'accept [12:2,b]=28638;'
     monitor: getting filter (from command line)
     monitor: compiling
    monitorfilter:
    Compiled OK.
     monitor: loading
     monitor: monitoring (control-C to stop)

  6. #6
    Join Date
    2015-09-08
    Posts
    24
    Rep Power
    0

    Default Re: help to understand fw monitor syntax.

    This should let you filter based on network (Source and destination)
    Code:
    fw monitor -e "net(192.168.1.0, 24) ,accept;" -o fwmonitor.pcap
    Other examples for various filters are on the fwmonitor SK: sk30583.

  7. #7
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default Re: help to understand fw monitor syntax.

    Thank you all for your answers !

    I guess the key finding is this, thanks Jejerod !:

    “Values in expressions can be hex int, oct int, int or IP addresses. "10.28" is neither of those.”

    I should have RTFMed !:):

    “value is one of the data types known to INSPECT (e.i. an IP address or an integer).”
    ….

    “INSPECT knows several native data types. Just some of them are useful for fw monitor:
    Hexadecimal Integers - A number beginning with 0x - e.g. 0x5ab4
    Octal Integers - A Number beginning with 0 - e.g. 0777
    Decimal Integers - Any other number - e.g. 23
    IP Address - Four decimal integers separated by three periods - e.g. 172.45.2.4”


    So to match 10.28.0.0/16 I can use:


    1) Hexadecimal Integers: fw monitor -e 'accept [12:1,b]=0x0A and [13:1,b]=0x1C;'
    2) Octal Integers: fw monitor -e 'accept [12:1,b]=0012 and [13:1,b]=0034;'
    3) Decimal integers: fw monitor -e 'accept [12:1,b]=10 and [13:1,b]=28;'


    Dear Jejerod, I though did not understand at all how code below cah help:

    expr 111 \* 256 + 222

    if I understand correctly it just multiplies 111 and 256 then adds 222, so it equeals 28638. How this would match any network ?
    Last edited by fkbr1; 2016-05-20 at 11:04.

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: help to understand fw monitor syntax.

    Thats how you convert 2 bytes into base 10.

    and IP address is 4 bytes separated by "." to make it easier for humans to read.

    :2 means compare 2 bytes. :1 means compare 1 byte.

  9. #9
    Join Date
    2012-07-19
    Posts
    108
    Rep Power
    8

    Default Re: help to understand fw monitor syntax.

    Quote Originally Posted by fkbr1 View Post
    Dear Jejerod, I though did not understand at all how code below cah help:
    Quote Originally Posted by jflemingeds View Post
    Thats how you convert 2 bytes into base 10.
    Your monitor expression compares two bytes to a value. Two bytes can have a value between 0 and 65535.
    IPs starting with 111.222 are - bitwise:

    Code:
    > perl -e 'printf("%08b %08b\n",111,222);'
    01101111 11011110
    or decimal

    Code:
    > perl -e 'printf("%d\n", 0b0110111111011110);'
    28638
    Thus, 28638 is the decimal representation of the first two octects of IP addresses starting with "111.222".

  10. #10
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default Re: help to understand fw monitor syntax.

    Thank you !

    So for 10.28.0.0/16 I can use:

    fw monitor -e 'accept [12:2,b]=2588;'

    (10 in binary is 00001010, 28 is 00011100; convert 0000101000011100 to decimal makes 2588)

    Solved !
    Last edited by fkbr1; 2016-05-24 at 08:54.

  11. #11
    Join Date
    2015-12-23
    Posts
    47
    Rep Power
    0

    Default Re: help to understand fw monitor syntax.

    here is a handy portable tool for creating fw monitor filters.


    Click image for larger version. 

Name:	fw monitor filter creator.jpg 
Views:	329 
Size:	67.6 KB 
ID:	1144
    Attached Files Attached Files

  12. #12
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default Re: help to understand fw monitor syntax.

    Quote Originally Posted by wayne0206 View Post
    here is a handy portable tool for creating fw monitor filters.
    Thanks a million !!!

  13. #13
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    159
    Rep Power
    13

    Default Re: help to understand fw monitor syntax.

    Quote Originally Posted by wayne0206 View Post
    here is a handy portable tool for creating fw monitor filters.


    Click image for larger version. 

Name:	fw monitor filter creator.jpg 
Views:	329 
Size:	67.6 KB 
ID:	1144
    Handy indeed, this will be very useful. Thank you.

Similar Threads

  1. Understand fw monitor keywords i,I,o,O
    By m_1607 in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2013-03-05, 03:42
  2. DLP R75.40 Problems to understand and solve
    By rpetrov in forum Data Loss Prevention Blade (DLP))
    Replies: 0
    Last Post: 2012-11-07, 07:30
  3. Please help me to understand UTM
    By rotherdrummer in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2009-10-16, 07:56
  4. A little error I don't understand !!!
    By ducnv in forum Authentication
    Replies: 2
    Last Post: 2009-04-06, 10:42
  5. Help me understand how NAT and VPN tunnels work with each other
    By hammop1 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2008-04-24, 11:05

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •