Friday, January 28, 2011

How to monitor what hapens on a management system, or on a system having an evaluation license

fw monitor command allows you to monitor network traffic going through the FireWall-1 Kernel Module. This is sort of like tcpdump except that it shows you what things look like from the perspective of various parts of FireWall-1 and can be used to monitor all interfaces simultaneously.


fw monitor [-d] [-D] -e inspect-filter -f filter-file [-l len] [-m mask] [-x offset[,len]] [-o file]

Command Line Options
-d Turn on dodebugptr
-D Turn on dodebugptr
-e Specify an INSPECT program line (multiple -e options can be used)
-f INSPECT filter name ('-' can be used to specify standard input). The -f and -e options are mutually exclusive.
-l Specify how many bytes of the packet should be transferred from the kernel.
-m Specify inspection points mask, any one or more of i, I, o, O as explained above.
-o Specify an output file. They can be viewed with the 'snoop' command on Solaris. This is only valid on 4.0 SP3 and later.
-x Perform a hex dump of the received data, starting at specify offset and printing out 'len' bytes.

Examples
fw monitor -e '[9:1]=6, accept\;' -l 100 -m iO -x 20 will display all TCP packets entering and leaving FireWall-1. Up to 80 bytes of TCP header and data will be displayed (assuming no IP Options are used)

fw monitor -e 'accept\;' -m iI will display all packets entering and exiting FireWall-1 in the inbound direction (i.e. before the OS routes the packet).

fw monitor -e 'accept ifid=0,src=10.0.0.1 or dst=10.0.0.1\;' will show you all packets in interface ID 0 coming from or going to 10.0.0.1. The value used for ifid corresponds to a number given to an interface by FireWall-1. You can determine which interface has which number by using the command fw ctl iflist.

fw monitor -e 'accept ifid=0,src=10.0.0.1 or dst=10.0.0.1,ip_p=47\;' does the same thing as the previous command except it looks for packets of IP Protocol 47 only.

fw monitor -e 'accept tcp,dport=80 or sport=80,src=10.0.0.1 or dst=10.0.0.1\;' shows all tcp packets going to or from 10.0.0.1 with either a source port of 80 or a destination port of 80.

No comments: