Wireshark modification for Check Point


Article ID: 167833


Updated On:




This article explains how to modify Wireshark in order to see Check Point chains ('i', 'I', 'o', and 'O',) in a 'fw monitor' capture.
Customer captured traffic using Check Point 'fw monitor' tool and wants to analyze it using Wireshark taking into consideration firewall chains ('i', 'I', 'o', and 'O',).

If nothing is done, Wireshark can see 'fw monitor' packets but doesn't show firewall chains and other fields like UUID.


Wireshark cannot see Check Point chains ('i', 'I', 'o', and 'O',) in a 'fw monitor' capture by default.


To customize Wireshark to properly read and interpret 'fw monitor' files do the following:
In the Wireshark user interface, select Edit > Preferences
- Go to 'User Interface' > 'Columns', and add a new column named 'Interface', choose 'Field type' as “FW-1 monitor if/direction”
- Go to 'Protocols' > 'Ethernet', and select the ‘Attempt to interpret as Firewall-1 monitor file’ option
- Click 'OK'
Now you will be able to properly read 'fw monitor' files but to make the result more readable you can also add some colorization rules.
Select one packet, go to frames display section and open 'FW1 Monitor' layer. Right click in 'Direction: i' and go to 'Colorized with Filter' and choose one color. 
Repeat this process for others FW1 chains: 'I', 'o', and 'O'.