For the fw monitor Checkpoint has wrote a dokumentation with the name fw_monitor_rev1_01.pdf. This document is old and – I guess – was never updated with the missing features that can be used to filter with fw monitor.
There is a table that I got actually from the site: http://yurisk.info/2009/12/12/fw-monitor-command-reference/
I just copy it here in case it would disappear in the future…and I would be happy if that would be available as an SK.
| Summary table of possible expressions to be fed to the fw monitor |
|
|---|---|
| Specifying Hosts |
|
| host(IP_address) | to or from this host |
| src=IP_address | where source ip = IP_address |
| dst=IP_address | where destination ip = IP_address |
| net(network_address,netmask) | to or from this network |
| to_net(network_address,netmask) | to this network |
| from_net(network_address,netmask) | from this network |
| Specifying ports | |
| port(port_number) | having this source or destination port |
| sport=port_number | having this source port |
| dport=port_number | having this destination port |
| tcpport(port_number) | having this source or destination port that is also TCP |
| udpport(port_number) | having this source or destination port that is also UDP |
| Specifying protocols | |
| ip_p=<protocol_number_as_per_IANA> | this way you can specifiy any known protocol by its registered number in IANAFor detailed list of protocol numbers see www.iana.org/assignments/protocol-numbers |
| icmp | what it says , icmp protocol |
| tcp | TCP |
| udp | UDP |
| Protocol specific oprions | |
| IP | |
| ip_tos = <value> | TOS field of the IP packet |
| ip_len = <length_in_bytes> | Length of the IP packet in bytes |
| ip_src/ ip_dst = <IP_address> | Source or destination IP address of the packet |
| ip_p =<protocol_number_as_per_IANA> | See above |
| ICMP | |
| echo_reply | ICMP reply packets |
| echo_req | Echo requests |
| ping | Echo requests and echo replies |
| icmp_error | ICMP error messages (Redirect,Unreachables,Time exceeded,Source quench,Parameter problem) |
| traceroute | Traceroute as implemented in Unix (UDP packets to high ports) |
| tracert | Traceroute as implemented in Windows (ICMP packets , TTL <30) |
| icmp_type = <ICMP types as per RFC> | catch packets of certain type |
| icmp_code = <ICMP type as per RFC> | catch packets of certain code |
| ICMP types and where applicable respective codes:ICMP_ECHOREPLY ICMP_UNREACH ICMP_UNREACH_NET ICMP_UNREACH_HOST ICMP_UNREACH_PROTOCOL ICMP_UNREACH_PORT ICMP_UNREACH_NEEDFRAG ICMP_UNREACH_SRCFAIL ICMP_SOURCEQUENCH ICMP_REDIRECT ICMP_REDIRECT_NET ICMP_REDIRECT_HOST ICMP_REDIRECT_TOSNET ICMP_REDIRECT_TOSHOST ICMP_ECHO ICMP_ROUTERADVERT ICMP_ROUTERSOLICIT ICMP_TIMXCEED ICMP_TIMXCEED_INTRANS ICMP_TIMXCEED_REASS ICMP_PARAMPROB ICMP_TSTAMP ICMP_TSTAMPREPLY ICMP_IREQ ICMP_IREQREPLY ICMP_MASKREQ ICMP_MASKREPLY |
|
| icmp_ip_len = <length> | Length of ICMP packet |
| icmp_ip_ttl = <TTL> | TTL of ICMP packet, use with icmp protocol otherwise will catch ANY packet with TTL given |
| < cut here—-bunch of other icmp-related fields like ID ,sequence I don’t see any value in bringing here–> |
|
| TCP | |
| syn | SYN flag set |
| fin | FIN flag set |
| rst | RST flag set |
| ack | ACK flag set |
| first | first packet (means SYN is set but ACK is not) |
| not_first | not first packet (SYN is not set) |
| established | established connection (means ACK is set but SYN is not) |
| last | last packet in stream (ACK and FIN are set) |
| tcpdone | RST or FIN are set |
| th_flags – more general way to match the flags inside TCP packets |
|
| th_flags = TH_PUSH | Push flag set |
| th_flags = TH_URG | Urgent flag set |
| UDP | |
| uh_ulen = <length_in_bytes> | Length of the UDP header (doesnt include IP header) |
itsecworks 
Posted on August 22, 2011
0