fw monitor

This command allows you to monitor network traffic going through the FireWall-1 Kernel Module. This is sort of like tcpdump except that it shows you what things look like from the perspective of various parts of FireWall-1 and can be used to monitor all interfaces simultaneously.

There are four "inspection" points as packets pass through FireWall-1. We choose where we want to "see" packets with the -m option:

( i ) = Before FireWall-1 processes the packet in the inbound direction.

( I ) = After FireWall-1 processes packet in the inbound direction.

( o ) = Before FireWall-1 processes the packet in the outbound direction.

( O ) = After FireWall-1 process the packet in the outbound direction.

Since there can be lots of packets, we need some way of determing which packets we are interested in seeing. We do this by means of an INSPECT filter, which can be typed in directly on the command line or via an INSPECT filter file. One of these options (-f or -e) is required.

Once you execute this command, FireWall-1 will compile the specified INSPECT script (either on the command line or in a file), load it into the kernel modle, and display them in the terminal window or to the output file (which is snoop format). It will continue to do this until an interrupt signal is sent to the program (Ctrl-C), after which it will unload the filter and exit.

The INSPECT script should return an "accept" in order for packets to be displayed. Any other return code will cause packets not to be displayed. If you want to only catch packets on a certain interface, use 'direction=x,ifid=y' where x=0 for inbound, 1 for outbound, and y is an interface number returned by the 'fw ctl iflist' command. Do not use table names that are used by the security policy.

Command Line Options:

-e Specify an INSPECT program line (multiple -e options can be used)
-f INSPECT filter name ('-' can be used to specify standard input). The -f and -e options are mutually exclusive.
-l Specify how many bytes of the packet should be transferred from the kernel.
-m Specify inspection points mask, any one or more of i, I, o, O as explained above.
-o Specify an output file. They can be viewed in Wireshark

Examples:

fw monitor -e "accept src=192.168.0.1 or dst=192.168.0.1;"
will show you all packets coming from or going to 192.168.0.1. The value used for ifid corresponds to a number given to an interface by FireWall-1. You can determine which interface has which number by using the command fw ctl iflist.

fw monitor -e "accept ifid=0,src=10.0.0.1 or dst=10.0.0.1,ip_p=47;"
does the same thing as the previous command except it also looks for packets from ifid 0 and IP Protocol 47 only. The value used for ifid corresponds to a number given to an interface by FireWall-1. You can determine which interface has which number by using the command fw ctl iflist.

fw monitor -e "accept tcp,dport=80 or sport=80,src=10.0.0.1 or dst=10.0.0.1;"
shows all tcp packets going to or from 10.0.0.1 with either a source port of 80 or a destination port of 80.