Wednesday, October 7, 2015

Check Point Packet Captures In CLI

I think most of you know Im a fan of packet captures when you need to do prove the packet is making it.  I needed to do this again on a Check Point firewall and they do make it easy if you know the commands.  Below, I need to know if a packet is making it to 192.168.2.59 with a destination port of 25.  Looks like its making it.

CP1> fw monitor -e "host (192.168.2.59) and port (25), accept;"
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth1:o[60]: 192.168.1.10 -> 192.168.2.59 (TCP) len=60 id=17090
TCP: 55906 -> 25 .S.... seq=fa7cc851 ack=00000000
[vs_0][fw_1] eth1:O[60]: 192.168.1.10 -> 192.168.2.59 (TCP) len=60 id=17090
TCP: 55906 -> 25 .S.... seq=fa7cc851 ack=00000000
[vs_0][fw_1] eth1:i[60]: 192.168.2.59 -> 192.168.1.10 (TCP) len=60 id=0
TCP: 25 -> 55906 .S..A. seq=8bc062bf ack=fa7cc852
[vs_0][fw_1] eth1:I[60]: 192.168.2.59 -> 192.168.1.10 (TCP) len=60 id=0
TCP: 25 -> 55906 .S..A. seq=8bc062bf ack=fa7cc852
[vs_0][fw_1] eth1:o[52]: 192.168.1.10 -> 192.168.2.59 (TCP) len=52 id=17091
TCP: 55906 -> 25 ....A. seq=fa7cc852 ack=8bc062c0
[vs_0][fw_1] eth1:O[52]: 192.168.1.10 -> 192.168.2.59 (TCP) len=52 id=17091
TCP: 55906 -> 25 ....A. seq=fa7cc852 ack=8bc062c0
[vs_0][fw_1] eth1:i[89]: 192.168.2.59 -> 192.168.1.10 (TCP) len=89 id=16339
TCP: 25 -> 55906 ...PA. seq=8bc062c0 ack=fa7cc852
[vs_0][fw_1] eth1:I[89]: 192.168.2.59 -> 192.168.1.10 (TCP) len=89 id=16339
TCP: 25 -> 55906 ...PA. seq=8bc062c0 ack=fa7cc852
[vs_0][fw_1] eth1:o[52]: 192.168.1.10 -> 192.168.2.59 (TCP) len=52 id=17092
TCP: 55906 -> 25 ....A. seq=fa7cc852 ack=8bc062e5
[vs_0][fw_1] eth1:O[52]: 192.168.1.10 -> 192.168.2.59 (TCP) len=52 id=17092
TCP: 55906 -> 25 ....A. seq=fa7cc852 ack=8bc062e5
[vs_0][fw_1] eth1:o[77]: 192.168.1.10 -> 192.168.2.59 (TCP) len=77 id=17093
TCP: 55906 -> 25 ...PA. seq=fa7cc852 ack=8bc062e5
 monitor: caught sig 2
 monitor: unloading
CP1>

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.