Tuesday, January 2, 2018

Checkpoint File Captures

A brief self reminder on how to execute packet captures on Checkpoint Firewalls.
There are much more detailed guides out there, but here are the basics.

TCPDUMP
True packet capture capable of generating a PCAP file for wireshark
tcpdump host {a.b.c.d} -i eth1 -w {filename}.pcap
few examples
tcpdump src a.b.c.d                     Show all traffic from ip
tcpdump dst a.b.c.d                     Show all traffic to ip
tcpdump net a.b.c.0/24                Look at traffic to and from 1.2.3.0 network
tcpdump port 123                        NTP example
tcpdump udp and dst port 53      specify protocol combined with DNS filter
tcpdump portrange 1000-1100      


FW MONITOR
Not as verbose/low level as tcpdump but good enough for a quick snapshot

#packets with IP a.b.c.d as SRC or DST
fw monitor -e "accept host(a.b.c.d);"

# all packets between pair of src and dst ips
fw monitor -e "accept src a.b.c.d and dst w.x.y.z;"

# UPD traffic from or to DNS
fw monitor -e "accept udp and (sport=53 or dport=53);"

No comments: