You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Inspect <strong>fw</strong> moni<strong>to</strong>r files<br />
The recommended <strong>to</strong>ol for analyzing <strong>fw</strong> moni<strong>to</strong>r capture files is Ethereal (Using Ethereal <strong>to</strong> inspect <strong>fw</strong><br />
moni<strong>to</strong>r files) or CPEthereal (Using CPEthereal <strong>to</strong> inspect <strong>fw</strong> moni<strong>to</strong>r files). Nevertheless <strong>fw</strong> moni<strong>to</strong>r<br />
capture files can be inspected with every <strong>to</strong>ol which is able <strong>to</strong> read the snoop file format (Snoop file<br />
format (RFC 1761)).<br />
Using snoop <strong>to</strong> inspect <strong>fw</strong> moni<strong>to</strong>r files<br />
snoop is a <strong>to</strong>ol normally found on Sun Solaris machines. snoop allows you <strong>to</strong> capture packets and <strong>to</strong><br />
examine them. As described in Write output <strong>to</strong> file <strong>fw</strong> moni<strong>to</strong>r writes its capture files in the file format<br />
<strong>use</strong>d by snoop. This allows us <strong>to</strong> <strong>use</strong> snoop <strong>to</strong> decode the files later on. This means you can generate<br />
the <strong>fw</strong> moni<strong>to</strong>r files on one machine and examine them on another machine using all of snoop’s<br />
functions including verbose output and filtering.<br />
! snoop is only available on Sun Solaris. For other platforms refer <strong>to</strong> Using tcpdump <strong>to</strong> inspect <strong>fw</strong><br />
moni<strong>to</strong>r files or Using Ethereal <strong>to</strong> inspect <strong>fw</strong> moni<strong>to</strong>r files.<br />
The following example shows how an <strong>fw</strong> moni<strong>to</strong>r capture file (two ICMP Echo Request and ICMP Echo<br />
Replies, PreIn/PostIn and PreOut/PostOut) which was generated on a Linux machine is inspected on a<br />
Sun:<br />
bash-2.03# snoop -i <strong>fw</strong>moni<strong>to</strong>r.cap<br />
1 0.00000 172.16.1.1 -> 172.16.1.2 ICMP Echo request (ID: 51470 Sequence number: 256)<br />
2 0.00000 172.16.1.1 -> 172.16.1.2 ICMP Echo request (ID: 51470 Sequence number: 256)<br />
3 0.00000 172.16.1.2 -> 172.16.1.1 ICMP Echo reply (ID: 51470 Sequence number: 256)<br />
4 0.00000 172.16.1.2 -> 172.16.1.1 ICMP Echo reply (ID: 51470 Sequence number: 256)<br />
5 0.00000 172.16.1.1 -> 172.16.1.2 ICMP Echo request (ID: 51470 Sequence number: 512)<br />
6 0.00000 172.16.1.1 -> 172.16.1.2 ICMP Echo request (ID: 51470 Sequence number: 512)<br />
7 0.00000 172.16.1.2 -> 172.16.1.1 ICMP Echo reply (ID: 51470 Sequence number: 512)<br />
8 0.00000 172.16.1.2 -> 172.16.1.1 ICMP Echo reply (ID: 51470 Sequence number: 512)<br />
Figure 48: Inspecting <strong>fw</strong> moni<strong>to</strong>r files with snoop<br />
<strong>How</strong> <strong>to</strong> <strong>use</strong> <strong>fw</strong> moni<strong>to</strong>r Page 39 of 70<br />
Revision: 1.01