Check Point Firewall – Quick Reference – Tcpdump

fw monitor operates above layer 2 and does not include mac address information – cant see ARP messages.
tcpdump can see layer 2 ARP messages

This is one of the most common tcpdump commands: (looks for packets from a src to dst, need to specify interface)
tcpdump nn-i eth2 host and host
08:02:15.043273 > S 1943270491:1943270491(0) win 65535

tcpdump -nni eth0
tcpdump -nni eth0 host
tcpdump -nni eth0 dst host and proto tcp
tcpdump -nni eth0 src net and proto tcp and portrange 1-1024

-nn = don’t use DNS to resolve IPs and display port numbers
-i = interface to watch: lo or eth0 or venet0 (virtual machines)
dst = watch only traffic destined to a net, host, or port
src = watch only traffic whose src is a net, host, or port
net = specifies a network
host = specifies a host,
port = specifies a port also portrange
proto = protocol ie tcp udp icmp

tcpdump -s0 -A -nni eth0 dst host
tcpdump -s0 -A -nni eth0 dst host and dst port 80
tcpdump -s0 -A -nni eth0 dst host and dst port 80 and src net 10.100.0/24
tcpdump -s0 -A -nni eth0 dst net
tcpdump -s0 -A -nni venet0 not port 22 and dst host and not src net
and not host and src net

-s0 = Setting snaplen to 0 means use the required length to catch whole packets.
-A = Print each packet (minus its link level header) in ASCII.

tcpdump -vv -c10000 -s0 -A -w bigfat.pcap -nni eth0 not port 22
-c = count of packets to display for exiting
-vv = displays number of packets captured
-w = Write the raw packets to file
# you can’t limit the size of the pcap, only the packets count
# use -c & -w together so you don’t fill up your HD.
tcpdump -s0 -A -nn -r hack3rcon.pcap and port 80
-r = read from file

Watch everything, and remove what you know you don’t want to inspect again. What is left will stick out like a white Tshirt at a hack3rcon.
Example: finding an unauthorized proxy on port 8080 or a udp flood to port 53.

tcpdump -s0 -A -nni eth0 not port 22 and dst host and not src net
and not host not src net


Check Point Firewall – Quick Reference – FW Monitor


FW Monitor is a built-in firewall tool which needs no separate install on the device you wish to capture packets and interrogate connections. It is a functionality provided with the installation of the FW-1 package and syntax is also identical across all FW-1 installations. FW Monitor allows for sampling the connection from 4 different points in the firewall, can show NAT assignments or see if routing is working right. FW Monitor happens at the kernel level, but is not a packet capture tool like tcpdump, and is only useful if SecureXL is turned off.

FW Monitor allows you to capture packets at multiple capture positions within the FW-1 kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall: Continue reading