Check Point Firewall – Quick Reference – Tcpdump

NOTE:
fw monitor operates above layer 2 and does not include mac address information – cant see ARP messages.
tcpdump can see layer 2 ARP messages

This is one of the most common tcpdump commands: (looks for packets from a src to dst, need to specify interface)
tcpdump nn-i eth2 host 11.11.11.11 and host 22.22.22.22
08:02:15.043273 11.11.11.11.62044 > 22.22.22.22.https: S 1943270491:1943270491(0) win 65535

tcpdump -nni eth0
tcpdump -nni eth0 host 111.111.111.111
tcpdump -nni eth0 dst host 111.111.111.111 and proto tcp
tcpdump -nni eth0 src net 111.111.111.0/24 and proto tcp and portrange 1-1024

-nn = don’t use DNS to resolve IPs and display port numbers
-i = interface to watch: lo or eth0 or venet0 (virtual machines)
dst = watch only traffic destined to a net, host, or port
src = watch only traffic whose src is a net, host, or port
net = specifies a network 111.111.111.0/24
host = specifies a host,111.111.111.111
port = specifies a port also portrange
proto = protocol ie tcp udp icmp

tcpdump -s0 -A -nni eth0 dst host 111.111.111.111
tcpdump -s0 -A -nni eth0 dst host 111.111.111.111 and dst port 80
tcpdump -s0 -A -nni eth0 dst host 111.111.111.111 and dst port 80 and src net 10.100.0/24
tcpdump -s0 -A -nni eth0 dst net 111.111.111.0/24
tcpdump -s0 -A -nni venet0 not port 22 and dst host 111.111.111.111 and not src net 111.111.111.0/24
and not host 111.111.111.111 and src net 111.111.111.0/24

-s0 = Setting snaplen to 0 means use the required length to catch whole packets.
-A = Print each packet (minus its link level header) in ASCII.

tcpdump -vv -c10000 -s0 -A -w bigfat.pcap -nni eth0 not port 22
-c = count of packets to display for exiting
-vv = displays number of packets captured
-w = Write the raw packets to file
# you can’t limit the size of the pcap, only the packets count
# use -c & -w together so you don’t fill up your HD.
tcpdump -s0 -A -nn -r hack3rcon.pcap and port 80
-r = read from file

Watch everything, and remove what you know you don’t want to inspect again. What is left will stick out like a white Tshirt at a hack3rcon.
Example: finding an unauthorized proxy on port 8080 or a udp flood to port 53.

tcpdump -s0 -A -nni eth0 not port 22 and dst host 111.111.111.111 and not src net 111.111.111.0/24
and not host 111.111.111.111and not src net 111.111.111.0/24

 

Check Point Firewall – Quick Reference – FW Monitor

Overview:

FW Monitor is a built-in firewall tool which needs no separate install on the device you wish to capture packets and interrogate connections. It is a functionality provided with the installation of the FW-1 package and syntax is also identical across all FW-1 installations. FW Monitor allows for sampling the connection from 4 different points in the firewall, can show NAT assignments or see if routing is working right. FW Monitor happens at the kernel level, but is not a packet capture tool like tcpdump, and is only useful if SecureXL is turned off.

FW Monitor allows you to capture packets at multiple capture positions within the FW-1 kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall: Continue reading