Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
21222324252627282930
Chapter 2 Troubleshooting Tools FireWall-1 Monitor Command
Advanced Technical Reference Guide 4.1 June 2000 16
FireWall-1 Monitor Command
The fw monitor command can be used to monitor network traffic through the FireWall. This is done by
loading a special INSPECT filter (separate from the one that is used to implement the security policy) that is
used to filter out interesting packets which are then displayed to the user.
Syntax
fw monitor [-d] [-D] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-
x offset[,len]] [-o <file>]
The filter can be specified from a file (-f option) or from the command line (-e option).
There are 4 inspection points along the passage of a packet through VPN-1/FireWall-1:
Before the virtual machine in the inbound direction (i or PREIN)
After the virtual machine in the inbound direction (I or POSTIN)
Before the virtual machine in the outbound direction (o or PREOUT)
After the virtual machine in the outbound direction (O or POSTOUT)
The term virtual machine above refers to most of the packet processing done by the FireWall and not only to the
INSPECT code execution (including virtual defragmentation, NAT, encryption, etc.).
Once started the command will compile the specified INSPECT filter program, load it to the kernel (not
replacing the security policy), and then the program will continuously get packets from the kernel and display
them in the terminal window (from which the command was issued). Upon an interrupt signal (Control-C) or
other catchable signal, the program will stop displaying packets, unload the monitor filter and exit.
The INSPECT program which is used to filter the monitored packets should return accept in order for the packet
to be displayed, any other return code from INSPECT (or the implicit drop at the end) will cause the packet not
to be displayed. No scoping should be used in the filter program (e.g. => le0@all...), since the same filter is
executed in all interfaces and in all directions. Instead, an expression such as direction=0,ifid=1, should be used
(the interface id number for an interface can be found by using the fw ctl iflist command). Tables and
functions can be used, care should be taken though, not to use table names that are used by the security policy.
Unless the -o option was specified, packets are displayed to the standard output (control messages are printed
on the standard error), the first line will display IP information, the next lines will display protocol specific
information (for TCP, UDP or ICMP). If the display option (-x) is used the following lines will show a hex
dump and printable character display of the packet content.
Packets are inspected in all 4 points mentioned above unless a mask is specified (-m option).