Viewing Checkpoint Fw Monitor Files In Wireshark

Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information.  It does contain additional information from the firewall on interface and direction.

To view this additional information in wireshark some extra configuration is required.

  1. Select edit/preferences/protocols/ethernet
  2. Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
  3. Select edit/preferences/User Interface/columns
  4. Click add to add a new column and name it interface.
  5. From the format dropdown listbox select FW-1 monitor if/direction and press ok

Save the text below to a file colorise.txt

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@FW-Mon-o@fw1.direction contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]

  1. Select View/coloring rules
  2. Click import and open the saved file from above
  3. Select the last 4 rules and move them to the top of the list by clicking the up button
  4. Press ok

Your now ready to view the fw monitor files in wireshark.


Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:


Vous commentez à l'aide de votre compte Déconnexion /  Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion /  Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion /  Changer )


Connexion à %s