| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] fw monitor command
This command allows you to monitor network traffic going through the FireWall-1 Kernel Module. This is sort of like tcpdump except that it shows you what things look like from the perspective of various parts of FireWall-1 and can be used to monitor all interfaces simultaneously.
There are four "inspection" points as packets pass through FireWall-1. We choose where we want to "see" packets with the -m option:
Before FireWall-1 processes the packet in the inbound direction (i or PREIN)
After FireWall-1 processes packet in the inbound direction (I or POSTIN)
Before FireWall-1 processes the packet in the outbound direction (o or PREOUT)
After FireWall-1 process the packet in the outbound direction (O or POSTOUT)
Since there can be lots of packets, we need some way of determing which packets we are interested in seeing. We do this by means of an INSPECT filter, which can be typed in directly on the command line or via an INSPECT filter file. One of these options (-f or -e) is required.
Once you execute this command, FireWall-1 will compile the specified INSPECT script (either on the command line or in a file), load it into the kernel modle, and display them in the terminal window or to the output file (which is snoop format). It will continue to do this until an interrupt signal is sent to the program (Ctrl-C), after which it will unload the filter and exit.
The INSPECT script should return an "accept" in order for packets to be displayed. Any other return code will cause packets not to be displayed. If you want to only catch packets on a certain interface, do not use 'le0@all' (for example), but instead use 'direction=x,ifid=y' where x=0 for inbound, 1 for outbound, and y is an interface number returned by the 'fw ctl iflist' command. Do not use table names that are used by the security policy.
Command Line Options
-d Turn on dodebugptr
-D Turn on dodebugptr
-e Specify an INSPECT program line (multiple -e options can be used)
-f INSPECT filter name ('-' can be used to specify standard input). The -f and -e options are mutually exclusive.
-l Specify how many bytes of the packet should be transferred from the kernel.
-m Specify inspection points mask, any one or more of i, I, o, O as explained above.
-o Specify an output file. They can be viewed with the 'snoop' command on Solaris. This is only valid on 4.0 SP3 and later.
-x Perform a hex dump of the received data, starting at specify offset and printing out 'len' bytes.
Examples
fw monitor -e '[9:1]=6, accept\;' -l 100 -m iO -x 20 will display all TCP packets entering and leaving FireWall-1. Up to 80 bytes of TCP header and data will be displayed (assuming no IP Options are used)
fw monitor -e 'accept\;' -m iI will display all packets entering and exiting FireWall-1 in the inbound direction (i.e. before the OS routes the packet).
fw monitor -e 'accept ifid=0,src=10.0.0.1 or dst=10.0.0.1\;' will show you all packets in interface ID 0 coming from or going to 10.0.0.1. The value used for ifid corresponds to a number given to an interface by FireWall-1. You can determine which interface has which number by using the command fw ctl iflist.
fw monitor -e 'accept ifid=0,src=10.0.0.1 or dst=10.0.0.1,ip_p=47\;' does the same thing as the previous command except it looks for packets of IP Protocol 47 only.
fw monitor -e 'accept tcp,dport=80 or sport=80,src=10.0.0.1 or dst=10.0.0.1\;' shows all tcp packets going to or from 10.0.0.1 with either a source port of 80 or a destination port of 80.
Warnings
Don't mess with tables used in the security policy or unexpected behaviour may result (including a system crash).
Packets are defragmented as the packets leave FireWall-1 in both the inbound and outbound direction.
Anything that causes a fetch, load, or unload of your security policy will cause fw monitor to exit.
If you are originating any Multicast routing packets from IPSO (for example, for OSPF routing or routing multicast), this will cause the 'fw monitor' program to terminate unless they are filtered out by the INSPECT script. This is because FireWall-1 attempts to associate a particular interface with these packets and is unable to. This issue has been fixed in FireWall-1 4.1 SP2 build 20.
----- Original Message -----
From: "Arno Hechenberger" <[email protected]>
To: "'Victor Barrientos'" <[email protected]>; "FW-1 Mailing List (E-Mail)" <[email protected]>
Sent: Monday, November 27, 2000 6:38 AM
Subject: AW: [FW1] fw monitor command
I should have a detailed explanation of fw monitor toooo !!!!
I have no account at NOKIA :-((
Arno
-----Ursprüngliche Nachricht-----
Von: [email protected]
[mailto:[email protected]]Im Auftrag von
Victor Barrientos
Gesendet: Mittwoch, 02. August 2000 17:52
An: [email protected]
Betreff: [FW1] fw monitor command
Can anyone explain me the fw monitor command ?
TIA
Victor Barrientos
Security Engineer
Tivoli Certified Consultant
RSA Security Certified RSA ACE/Server Engineer
Tel: 54-11-4819-3903
Fax: 54-11-4811-7103
Telefónica
unifon
www.unifon.com.ar
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
