Command syntax
Command line options
|
fw monitor [-u|s] [-i] [-d] [-D]
<{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-x
offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] |
-p all > [-a] [-ci count] [-co count] [-vs vsid or vsname]
|
Option
|
Description
|
-e
|
Filter packets expression
|
-l [LENGTH]
|
Limit the packet length
|
-m [MASK]
|
Capture mask out from 4 directions
|
-x [OFFSET],[LENGTH]
|
Print packet/payload data
|
-o [FILE]
|
Write output to file
|
-ci / -co
|
Capture number of packets inbound/outbound
|
-u
|
Display UUID
|
fw ctl chain
|
Display firewall control chain
|
Filter ICMP only
Filter the 9th byte of IP and accept only IP protocol 1
which is ICMP
|
fw monitor -e 'accept [9:1]=1;'
|
Filter ICMP only
echo "accept [9:1]=1;"
>myfilter.pf
fw monitor -f myfilter.pf
|
Filter ICMP only
Filter the 9th byte of IP and accept only IP protocol 1
which is ICMP
|
fw monitor -e 'accept [9:1]=1;'
|
Capture ICMP only
Capture all ICMP from host 192.168.10.2
|
fw monitor -e 'accept icmp and
host(192.168.10.2);’
|
Using position filter
Using position filter on inbound with fw ctl chain alias and write it
out to dump.cap
|
fw monitor -pi -secxl_sync -o
dump.cap
|
HTTP source port
Capture all traffic with source port 80
|
Fw monitor –e ‘accept [20:2,b]=80;
‘
|
HTTP destination port
Capture all traffic with destination port 80
|
Fw monitor –e ‘accept [22:2,b]=80;
‘
|
Capture all HTTP
Capture all HTTP traffic
|
fw monitor -e 'accept tcpport(80);’
|
FTP source port
Capture all traffic with FTP source port (control channel)
|
Fw monitor –e ‘accept [20:2,b]=21;
‘
|
FTP destination port
Capture all traffic with FTP destination port (control channel)
|
Fw monitor –e ‘accept [22:2,b]=21;
‘
|
Capture network range
Capture all traffic for network 192.168.10.0/24
|
fw monitor -e
'internal={<192.168.10.0, 192.168.10.254>}; accept (src in internal);'
|
Capture specific network range
Capture all traffic from IP address 192.168.10.100 up to
192.168.10.254
|
fw monitor -e
'lan={<192.168.10.100, 192.168.10.254>}; accept (src in lan);'
|
Do not capture HTTP traffic
Capture all traffic except HTTP
|
fw monitor -e ‘accept not (
[20:2,b]=80 or [22:2,b]=80); ‘
|
Do not capture SSH or RDP traffic
Capture all traffic except SSH and remote desktop, on all
positions and write it to dump.cap
|
fw monitor -e 'accept not
([20:2,b]=22 or [22:2,b]=22 or [20:2,b]=3389 or [22:2,b]=3389);' -p all -o
dump.cap
|
Do not capture SSH or RDP traffic
Capture all traffic from host 192.168.10.2 except SSH and remote
desktop
|
fw monitor -e 'accept
(host(192.168.10.2) and not (tcpport(3389) or tcpport(22))) ;'
|
Capture DNS queries
Capture all DNS queries from host 192.168.10.2
|
fw monitor -e 'accept
(host(192.168.10.2) and (udpport(53))) ;'
|
Nice blog
ReplyDelete