What’s the difference between tcpdump and fw monitor ?
Tcpdump displays traffic coming or leaving to/from a firewall interface while fw monitor would also tell you how the packet is going through the firewall including routing and NAT decisions.
Let’s get deeper
FW MONITOR
It captures traffic at 4 important points in the firewall namely i, I, o & O. You would see them in the capture in the same sequence.
i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.
I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the next line in capture after this at ‘o’, you could infer that it’s a routing issue.
For both i & I the interface is the incoming, where the packet enters the firewall.
o – Preoutbound, the place where the packet is received at the exit interface within the firewall. If this is the point beyond which the capture is not seen, then you may need to check NAT.
O- Postoutbound, If you see this then make you are sure that the packet has left the firewall and the ACL, route and NAT all are working as expected.
fw monitor -e "accept src=10.1.1.201 or dst=10.1.1.201;" -o monitor2.out
TCPDUMP.
It captures at position i & O of firewall monitor, and you can be sure the traffic has left the firewall. This is similar to the way captures work on a Cisco PIX/ASA.
So, which one you use ?
Consider you run tcpdump and see the incoming traffic but don’t see the traffic leaving the exit interface. You can guess it’s a routing or a NAT issue. But to make a sure shot without wasting time by looking in routes or the NAT rules you could run fw monitor and know what the issue is.
Tcpdump displays traffic coming or leaving to/from a firewall interface while fw monitor would also tell you how the packet is going through the firewall including routing and NAT decisions.
Let’s get deeper
FW MONITOR
It captures traffic at 4 important points in the firewall namely i, I, o & O. You would see them in the capture in the same sequence.
i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.
I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the next line in capture after this at ‘o’, you could infer that it’s a routing issue.
For both i & I the interface is the incoming, where the packet enters the firewall.
o – Preoutbound, the place where the packet is received at the exit interface within the firewall. If this is the point beyond which the capture is not seen, then you may need to check NAT.
O- Postoutbound, If you see this then make you are sure that the packet has left the firewall and the ACL, route and NAT all are working as expected.
fw monitor -e "accept src=10.1.1.201 or dst=10.1.1.201;" -o monitor2.out
###FW MONITOR Examples###
fw monitor -e ‘accept host(192.168.1.12);’ [Show packets with IP 192.168.1.12 as SRC or DST:]
fw monitor -e ‘accept src=192.168.1.12 and dst=192.168.3.3;’ [Show all packets from 192.168.1.12 to 192.168.3.3:]
fw monitor -pi ipopt_strip -e ‘accept udpport(53);’ [Show UDP port 53 (DNS) packets, pre-in position is before ‘ippot_strip’:]
fw monitor -m O -e ‘accept udp and (sport>1023 or dport>1023);’ [Show UPD traffic from or to unprivileged ports, only show post-out]
fw monitor -e ‘accept host(192.168.1.12) and tracert;’ [Show Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12]
fw monitor -v 23 -e ‘accept tcpport(80);’ [Show Capture web traffic for VSX virtual system ID 23]
fw monitor -e ‘accept ip_p=50 and ifid=0;’ [Show all ESP (IP protocol 50) packets on the interface with the ID 0.
(List interfaces and corresponding IDs with fw ctl iflist)]
(List interfaces and corresponding IDs with fw ctl iflist)]
srfw monitor -o output_file.cap [Show traffic on a SecuRemote/SecureClient client into a file.
srfw.exe is in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)]
srfw.exe is in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)]
fw monitor -m iIoO “(accpet dst=172.31.10.100;)” | grep ICMP [This is standard fw monitor on the destionation and grepping for ICMP (ICMP in capital impotant here, ass the out put is in capitals)]
fw monitor -e ‘accept ip_p=1;’ -o ping.cap
fw monitor -m iIoO –e ‘(accept src=10.0.1.30 and dst=4.2.2.2) and [9:1] = 1;’ -o output.cap
fw monitor -m iIoO –e ‘accept src=10.0.1.30 or dst=10.0.1.30 and [9:1] = 1;’ -o output.cap
fw monitor -m iIoO –e ‘accept (src=10.0.1.30 or dst=10.0.1.30) and no (sport=443 or dport=443);’ -o output.cap [open this file in wire shark.]
fw monitor -m iIoO –e “accept (src=10.0.1.30 or dst=10.0.1.30);” this is a goood fw monitor to run which wil just output to the CPShell, the “-m iIoO” Just means “- Monitor pre (i)nbound post(I)nbound pre (o)utbound post (O)utbound interfaces”
TCPDUMP.
It captures at position i & O of firewall monitor, and you can be sure the traffic has left the firewall. This is similar to the way captures work on a Cisco PIX/ASA.
So, which one you use ?
Consider you run tcpdump and see the incoming traffic but don’t see the traffic leaving the exit interface. You can guess it’s a routing or a NAT issue. But to make a sure shot without wasting time by looking in routes or the NAT rules you could run fw monitor and know what the issue is.
No comments:
Post a Comment