How to Viewing Checkpoint fw monitor files in Wireshark
Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information. It does contain additional information from the firewall on interface and direction.
To view this additional information in wireshark some extra configuration is required.
Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information. It does contain additional information from the firewall on interface and direction.
To view this additional information in wireshark some extra configuration is required.
- Select edit/preferences/protocols/ethernet
- Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
- Select edit/preferences/User Interface/columns
- Click add to add a new column and name it interface.
- From the format dropdown listbox select FW-1 monitor if/direction and press ok
# DO NOT EDIT THIS FILE! It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@FW-Mon-o@fw1.direction contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]- Select View/coloring rules
- Click import and open the saved file from above
- Select the last 4 rules and move them to the top of the list by clicking the up button
- Press ok
No comments:
Post a Comment