To customize Wireshark to properly read and interpret 'fw monitor' files do the following:
In the Wireshark user interface, select Edit > Preferences
- Go to 'User Interface' > 'Columns', and add a new column named 'Interface', choose 'Field type' as “FW-1 monitor if/direction”
- Go to 'Protocols' > 'Ethernet', and select the ‘Attempt to interpret as Firewall-1 monitor file’ option
- Click 'OK'
Now you will be able to properly read 'fw monitor' files but to make the result more readable you can also add some colorization rules.
Select one packet, go to frames display section and open 'FW1 Monitor' layer. Right click in 'Direction: i' and go to 'Colorized with Filter' and choose one color.
Repeat this process for others FW1 chains: 'I', 'o', and 'O'.
Workaround
N/A