Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS

Chapter 2 Troubleshooting Tools FireWall-1 Monitor Command

Advanced Technical Reference Guide 4.1 • June 2000 17

Options

Switch: Explanation:

-d

Provides lower level debug output from the filter loading process

-D

Provides higher level debug output from the filter loading process

-e

Specify an INSPECT program line (multiple -e options can be used) .

-f

Specify an INSPECT filter file name ('-' means the standard input), the file is copied before

compilation. The -f and -e options are mutually exclusive.

-l

Specify how much of the packet should be transferred from the kernel (for packets longer than

the specified length only a prefix will be available for display).

-m

Specify inspection points mask, any one or more of i, I, o, or O can be used (the meaning of

each is explained above).

-o

Specify an output file. Save 'monitored' packets in the output file as they are monitored. During

the monitoring, a count of the number of packets saved in the file is displayed. The content of

the file can later be examined by the snoop -i <file> command.

-x

Specify display parameters. When this option is present, the IP and protocol information will be

followed by a hex dump and printable character display, starting at the offset bytes into the

packet for len bytes long. (If offset + len is larger than the length specified by the -l option, only

thedataavailablewillbedisplayed).

Examples

fw monitor -e '[9:1]=6,accept;' -l 100 -m iO -x 20

This will display all TCP packets going through the FireWall, once before the virtual machine in the inbound

direction and once after the virtual machine in the outbound direction (provided, of course, that the FireWall

allowed the packet to pass). Up to 80 bytes of the TCP header and data will be displayed (assuming no IP

options).

fw monitor -e 'accept;' -m iI -o /tmp/monitor.snp

<ctrl-c>

snoop -i /tmp/monitor.snp -V -x14 tcp port ftp or tcp port ftp-data

This will save all packets going into the FireWall, one before the virtual machine in the inbound direction and

once after the virtual machine in the inbound direction, in the file /tmp/monitor.snp. This file should later

be copied to a Solaris machine and can be examined by the snoop utility. In the previous example, display only

TCP packet going from or to the ftp or ftp-data port.

Alert - 19 Dec 1999 - A security hole has been discovered in the "snoop" application that could allow

a malicious user to gain privileged access to a machine running "snoop".

Sun Microsystems has provided patches to fix this security hole. They can be downloaded from:

http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches

Sun has issued a Security Bulletin #00190 regarding this vulnerability. See

http://sunsolve.sun.com/pub-cgi/secBulletin.pl

Since "snoop" presents a security risk, Check Point recommends that running snoop should be

avoided. fw monitor should be used instead, which will usually provide more information than