Wireshark modification for Check Point

book

Article ID: 167833

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article explains how to modify Wireshark in order to see Check Point chains ('i', 'I', 'o', and 'O',) in a 'fw monitor' capture.
Customer captured traffic using Check Point 'fw monitor' tool and wants to analyze it using Wireshark taking into consideration firewall chains ('i', 'I', 'o', and 'O',).

If nothing is done, Wireshark can see 'fw monitor' packets but doesn't show firewall chains and other fields like UUID.
 

Cause

Wireshark cannot see Check Point chains ('i', 'I', 'o', and 'O',) in a 'fw monitor' capture by default.

Resolution

To customize Wireshark to properly read and interpret 'fw monitor' files do the following:
 
In the Wireshark user interface, select Edit > Preferences
- Go to 'User Interface' > 'Columns', and add a new column named 'Interface', choose 'Field type' as “FW-1 monitor if/direction”
- Go to 'Protocols' > 'Ethernet', and select the ‘Attempt to interpret as Firewall-1 monitor file’ option
- Click 'OK'
 
Now you will be able to properly read 'fw monitor' files but to make the result more readable you can also add some colorization rules.
 
Select one packet, go to frames display section and open 'FW1 Monitor' layer. Right click in 'Direction: i' and go to 'Colorized with Filter' and choose one color. 
 
Repeat this process for others FW1 chains: 'I', 'o', and 'O'.
 

Workaround

N/A