Check Point Firewall – Quick Reference – Tcpdump

fw monitor operates above layer 2 and does not include mac address information – cant see ARP messages.
tcpdump can see layer 2 ARP messages

This is one of the most common tcpdump commands: (looks for packets from a src to dst, need to specify interface)
tcpdump nn-i eth2 host and host
08:02:15.043273 > S 1943270491:1943270491(0) win 65535

tcpdump -nni eth0
tcpdump -nni eth0 host
tcpdump -nni eth0 dst host and proto tcp
tcpdump -nni eth0 src net and proto tcp and portrange 1-1024

-nn = don’t use DNS to resolve IPs and display port numbers
-i = interface to watch: lo or eth0 or venet0 (virtual machines)
dst = watch only traffic destined to a net, host, or port
src = watch only traffic whose src is a net, host, or port
net = specifies a network
host = specifies a host,
port = specifies a port also portrange
proto = protocol ie tcp udp icmp

tcpdump -s0 -A -nni eth0 dst host
tcpdump -s0 -A -nni eth0 dst host and dst port 80
tcpdump -s0 -A -nni eth0 dst host and dst port 80 and src net 10.100.0/24
tcpdump -s0 -A -nni eth0 dst net
tcpdump -s0 -A -nni venet0 not port 22 and dst host and not src net
and not host and src net

-s0 = Setting snaplen to 0 means use the required length to catch whole packets.
-A = Print each packet (minus its link level header) in ASCII.

tcpdump -vv -c10000 -s0 -A -w bigfat.pcap -nni eth0 not port 22
-c = count of packets to display for exiting
-vv = displays number of packets captured
-w = Write the raw packets to file
# you can’t limit the size of the pcap, only the packets count
# use -c & -w together so you don’t fill up your HD.
tcpdump -s0 -A -nn -r hack3rcon.pcap and port 80
-r = read from file

Watch everything, and remove what you know you don’t want to inspect again. What is left will stick out like a white Tshirt at a hack3rcon.
Example: finding an unauthorized proxy on port 8080 or a udp flood to port 53.

tcpdump -s0 -A -nni eth0 not port 22 and dst host and not src net
and not host not src net


Check Point Firewall – Quick Reference – FW Monitor


FW Monitor is a built-in firewall tool which needs no separate install on the device you wish to capture packets and interrogate connections. It is a functionality provided with the installation of the FW-1 package and syntax is also identical across all FW-1 installations. FW Monitor allows for sampling the connection from 4 different points in the firewall, can show NAT assignments or see if routing is working right. FW Monitor happens at the kernel level, but is not a packet capture tool like tcpdump, and is only useful if SecureXL is turned off.

FW Monitor allows you to capture packets at multiple capture positions within the FW-1 kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall:

[Expert@FIREWALL-1]# fw ctl chain
in chain (9):
          0: -7f800000 (ca8d9698) IP Options Strip (ipopt_strip)
          1: - 2000000 (cb1c1c64) vpn decrypt (vpn)
          2: - 1fffff6 (ca8da0f8) Stateless verifications (asm)
          3: - 1fffff0 (cb1c17f0) vpn decrypt verify (vpn_ver)
          4: - 1000000 (ca8eb688) SecureXL connection syn (secxl_sync)
          5: 0 (ca8aa0c0) fw VM inbound (fw)
          6: 2000000 (cb1c2aa0) vpn policy inbound (vpn_pol)
          7: 10000000 (ca8eb728) SecureXL inbound (secxl)
          8: 7f800000 (ca8d98e4) IP Options Restore (ipopt_res)
out chain (8):
          0: -7f800000 (ca8d9698) IP Options Strip (ipopt_strip)
          1: - 1ffffff (cb1c16fc) vpn nat outbound (vpn_nat)
          2: - 1f00000 (ca8da0f8) Stateless verifications (asm)
          3: 0 (ca8aa0c0) fw VM outbound (fw)
          4: 2000000 (cb1c26e0) vpn policy outbound (vpn_pol)
          5: 10000000 (ca8eb728) SecureXL outbound (secxl)
          6: 20000000 (cb1c2164) vpn encrypt (vpn)
          7: 7f800000 (ca8d98e4) IP Options Restore (ipopt_res)
  • pre-inbound inspection ( i )
  • post-inbound inspection ( I )
  • pre-outbound inspection ( o )
  • post-outbound inspection ( O )

Limitations of fw monitor:

fw monitor operates above layer 2 and does not include mac address information – cant see ARP messages.
tcpdump can see layer 2 ARP messages

Unlike other pcap utilities, fw monitor can’t show layer-2 or lower protocol information (datalink & physical layers). The NIC strips the layer-2 info before pushing the packet to VPN-1/FW-1. However, fw monitor can, show the packet at different inbound and outbound capture points along the way. Before attempting to troubleshoot an issue using fw monitor, make sure that layer-2 traffic flow is functioning as it should. If a layer-2 issue is suspected, tcpdump can be used to check the flow at layer-2. For more on tcpdump click here.

Misconfigured Proxy ARP is an example of a problem that fw monitor simply cannot solve. If hosts are not transmitting the frames to the firewall’s NIC, VPN-1/FW-1 will never inspect the packet and fw monitor will never provide any lines of decode to analyze. However, tcpdump can capture traffic not transmitted directly to the firewall’s NIC and can display the incorrect hardware addressing.

Syntax for fw monitor:

fw monitor [-u|s] [-i] [-d] [-D] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]] [-o ] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all > [-a] [-ci count] [-co count] [-vs vsid or vsname]

The easiest way to use fw monitor is to invoke it without any parameter “fw monitor”. This will output every packet from every interface that passes (or at least reaches) the enforcement module. However, nobody uses this in high traffic environments, and it is much smarter to filter it down a bit. NOTE: Break sequence = ctrl+c to stop fw monitor from capturing packets.

Capture Masks:

Capture traffic from a host:

fw monitor -e “accept src=xx.xx.xx.xx;”

Write output to file [-o ]

fw monitor –o monitor.pcap -e “accept src=xx.xx.xx.xx;”

Capturing all traffic to or from a host

fw monitor -e “accept src=xx.xx.xx.xx or dst=xx.xx.xx.xx;”

Capture http traffic

fw monitor -e “accept sport=80 or dport=80;”

Capture all port 80 traffic to AND from source and dest hosts (the / character implies a line break)

fw monitor -e “accept src=NATIVE-xx.xx.xx.xx and dst=NAT-xx.xx.xx.xx and
sport=80 ; \
accept src=NAT-xx.xx.xx.xx and dst=NATIVE-xx.xx.xx.xx and
dport=80) ;”


View traffic for virtual system with ID . Attn: with fw monitor use -v instead of -vs

fw monitor -v  -e 'accept;'

Capture web traffic for VSX virtual system ID 3

fw monitor -v 3 -e 'accept tcpport(80);'

The capture point in the decode is the most import feature of fw monitor troubleshooting purposes. VPN-1/FW-1, compares (runs it thru INSPECT engine) network traffic against its policy and state tables when the packet is received (inbound) as well as immediately before the packet is transmitted (outbound). The four primary capture points correspond to points immediately before and after the VPN-1/FW-1 inspection points. If we see that a packet was captured only prior to an inspection but not after and inspection, we can conclude that some aspect of firewall policy is the cause of our network problem.

Ex 1: If a packet only generates one line of output marked with the pre-inbound inspection ( i ) identifier, we can be confident that the VPN-1/FW-1 policy is causing the packet to be dropped. Tracker can be used to figure out which rule is causing the problem.

Ex 2: If only lines for inbound inspection ( i, I ) are shown but outbound inspection ( o,O ) are missing. This would indicate that the packet is either terminating at the firewall itself or that routing has been misconfigured and the routing engine of the firewall is blackholing the packet.

Ex 3: If the expected packet doesn’t even produce any inbound inspection decode lines, this means either that the filter expression is incorrect or that the packet is never making it to the Enforcement Module for inspection. Other tools would then be needed to see what is going on outside the firewall.

CheckPoint References
CheckPoint sk30583
CheckPoint sk39510
CheckPoint sk41045
CheckPoint FW_Monitor_rev1_01.pdf