It always helpful taking a packet capture from a firewall when you need to. Here on a Check Point 2200 firewall, I needed to see what was going on during a trouble call. So I wanted to take a packet capture into a wireshark readable format. Here is how I did that.
[Expert@CPFW:0]# fw monitor -i -p all -o capture2.cap
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
in chain (16):
0: -7f800000 (f2768890) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -7d000000 (f14e5690) (00000003) vpn multik forward in
2: - 2000000 (f14bda30) (00000003) vpn decrypt (vpn)
3: - 1fffffa (f14d6070) (00000001) l2tp inbound (l2tp)
4: - 1fffff8 (f276a040) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (f27a9500) (00000001) fw multik misc proto forwarding
6: - 1fffff2 (f14f65c0) (00000003) vpn tagging inbound (tagging)
7: - 1fffff0 (f14bc5f0) (00000003) vpn decrypt verify (vpn_ver)
8: - 1000000 (f28493a0) (00000003) SecureXL conn sync (secxl_sync)
9: 0 (f270d390) (00000001) fw VM inbound (fw)
10: 2000000 (f14bbc60) (00000003) vpn policy inbound (vpn_pol)
11: 10000000 (f2847420) (00000003) SecureXL inbound (secxl)
12: 7f600000 (f275de30) (00000001) fw SCV inbound (scv)
13: 7f730000 (f2966080) (00000001) passive streaming (in) (pass_str)
14: 7f750000 (f2b76c90) (00000001) TCP streaming (in) (cpas)
15: 7f800000 (f2768c30) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
0: -7f800000 (f2768890) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (f14e5670) (00000003) vpn multik forward out
2: - 1ffffff (f14bb520) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (f2b76ec0) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (f2966080) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (f14f65c0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (f276a040) (00000001) Stateless verifications (out) (asm)
7: 0 (f270d390) (00000001) fw VM outbound (fw)
8: 2000000 (f14bb740) (00000003) vpn policy outbound (vpn_pol)
9: 10000000 (f2847420) (00000003) SecureXL outbound (secxl)
10: 1ffffff0 (f14d6c20) (00000001) l2tp outbound (l2tp)
11: 20000000 (f14be470) (00000003) vpn encrypt (vpn)
12: 7f700000 (f2b770b0) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (f2768c30) (ffffffff) IP Options Restore (out) (ipopt_res)
monitor: monitoring (control-C to stop)
15752 monitor: caught sig 2
monitor: unloading
[Expert@CPFW:0]# ls -l
total 48240
-rw-rw-r-- 1 admin root 29636521 Jun 3 10:10 CPFWCPinfo.tgz.gz
-rw-r----- 1 admin root 5738635 Jun 1 14:52 CPFW_1_6_2015_14_50.CPViewDB.dat.gz
-rw-r--r-- 1 admin root 5735899 Jun 3 10:10 CPFW_3_6_2015_10_08.CPViewDB.dat.gz
-rw-rw---- 1 admin root 2655555 Jun 11 13:50 capture.test.txt
-rw-rw---- 1 admin root 1480 Jun 11 13:39 capture1
-rw-rw---- 1 admin root 5517380 Jun 11 14:00 capture2.cap
-rwxrwx--- 1 admin root 13894 Apr 21 12:53 crypt.def
[Expert@CPFW:0]# ftp 192.168.50.60
Connected to 192.168.50.60 (192.168.50.60).
220-GuildFTPd FTP Server (c) 1997-2002
220-Version 0.999.14
220 Please enter your name:
Name (192.168.50.60:admin): shane
331 User name okay, Need password.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bi
200 Type set to I.
ftp> put capture2.cap
local: capture2.cap remote: capture2.cap
227 Entering Passive Mode (192,168,50,60,201,12)
150 Opening binary mode data connection for /capture2.cap.
226 Transfer complete. 5517380 bytes in 2 sec. (2758.69 Kb/s).
5517380 bytes sent in 1.56 secs (3.5e+03 Kbytes/sec)
ftp> bye
221 Goodbye. Control connection closed.
[Expert@CPFW:0]#
Nothing like a packet capture to understand exactly what is going on, and to stop the finger pointing!! Nice post Shane!
ReplyDelete