fw monitor – the missing table

Posted on August 22, 2011

0



For the fw monitor Checkpoint has wrote a dokumentation with the name fw_monitor_rev1_01.pdf. This document is old and – I guess – was never updated with the missing features that can be used to filter with fw monitor.

There is a table that I got actually from the site: http://yurisk.info/2009/12/12/fw-monitor-command-reference/

I just copy it here in case it would disappear in the future…and I would be happy if that would be available as an SK.

Summary table of possible expressions to be fed to the fw
monitor
Specifying
Hosts
 host(IP_address)  to or from this host
 src=IP_address  where source ip = IP_address
 dst=IP_address  where destination ip = IP_address
 net(network_address,netmask)  to or from this network
 to_net(network_address,netmask)  to this network
 from_net(network_address,netmask)  from this network
 Specifying ports
 port(port_number)  having this source or destination port
 sport=port_number  having this source port
 dport=port_number  having this destination port
 tcpport(port_number)  having this source or destination port that is also TCP
 udpport(port_number)  having this source or destination port that is also UDP
 Specifying protocols
 ip_p=<protocol_number_as_per_IANA>  this way you can specifiy any known protocol by its registered
number in IANAFor detailed list of protocol numbers see www.iana.org/assignments/protocol-numbers
 icmp  what it says , icmp protocol
 tcp  TCP
 udp  UDP
 Protocol specific oprions
 IP
 ip_tos = <value>  TOS field of the IP packet
 ip_len = <length_in_bytes>  Length of the IP packet in bytes
 ip_src/ ip_dst = <IP_address>  Source or destination IP address of the packet
 ip_p =<protocol_number_as_per_IANA>  See above
 ICMP
  echo_reply  ICMP reply packets
  echo_req  Echo requests
  ping  Echo requests and echo replies
  icmp_error  ICMP error messages (Redirect,Unreachables,Time exceeded,Source
quench,Parameter problem)
  traceroute  Traceroute as implemented in Unix (UDP packets to high ports)
  tracert  Traceroute as implemented in Windows (ICMP packets , TTL
<30)
  icmp_type = <ICMP types as per RFC>  catch packets of certain type
  icmp_code = <ICMP type as per RFC>  catch packets of certain code
  ICMP types and where applicable respective codes:ICMP_ECHOREPLY
ICMP_UNREACH
ICMP_UNREACH_NET
ICMP_UNREACH_HOST
ICMP_UNREACH_PROTOCOL
ICMP_UNREACH_PORT
ICMP_UNREACH_NEEDFRAG
ICMP_UNREACH_SRCFAIL
ICMP_SOURCEQUENCH
ICMP_REDIRECT
ICMP_REDIRECT_NET
ICMP_REDIRECT_HOST
ICMP_REDIRECT_TOSNET
ICMP_REDIRECT_TOSHOST
ICMP_ECHO
ICMP_ROUTERADVERT
ICMP_ROUTERSOLICIT
ICMP_TIMXCEED
ICMP_TIMXCEED_INTRANS
ICMP_TIMXCEED_REASS
ICMP_PARAMPROB
ICMP_TSTAMP
ICMP_TSTAMPREPLY
ICMP_IREQ
ICMP_IREQREPLY
ICMP_MASKREQ
ICMP_MASKREPLY
  icmp_ip_len = <length>  Length of ICMP packet
 icmp_ip_ttl = <TTL>  TTL of ICMP packet, use with icmp protocol otherwise will catch ANY
packet with TTL given
 < cut here—-bunch of other icmp-related fields
like ID ,sequence I don’t see any value in bringing here–>
 TCP
 syn  SYN flag set
 fin  FIN flag set
 rst  RST flag set
 ack  ACK flag set
 first  first packet (means SYN is set but ACK is not)
 not_first  not first packet (SYN is not set)
 established  established connection (means ACK is set but SYN is not)
 last  last packet in stream (ACK and FIN are set)
 tcpdone  RST or FIN are set
 th_flags – more general way to match the flags inside
TCP packets
 th_flags = TH_PUSH  Push flag set
 th_flags = TH_URG  Urgent flag set
 UDP
 uh_ulen = <length_in_bytes>  Length of the UDP header (doesnt include IP header)
Advertisements