w monitor shows you what the checkpoint kernel sees, and monitors all interfaces at once
Turn on debug flag
Specify an INSPECT program line (multiple -e options can be used)
INSPECT filter name. '-' can be used to specify standard input. The -f and -e options are mutually exclusive
Specify how many bytes of the packet should be transferred from the kernel.
Specify inspection points mask, any one or more of i, I, o, O as explained above. This feature only works on 4.0 SP3 or later.
Specify an output file, which can be viewer with the 'snoop' command on Solaris.
Perform a hex dump of the received data, starting at specified offset and printing out 'len' bytes.
fw monitor -m iIoO -e "accept src=192.168.191.18;"
fw monitor -m iIoO -e "accept dport=500;"
fw monitor -m iIoO -e "accept dst=192.168.27.198;"
fw monitor -m iIoO -e "accept dst=192.168.2.3;" -o /var/tmp/SOCD00008413514
fw monitor -m iIoO -e "accept src=192.168.160.45 or dst=172.16.160.45;"
fw monitor -m iIOo -e 'accept src=10.33.76.82 and dst=10.33.76.82;'
The little "i" means the packet is incoming to the interface specified.
The big "I" means the packet is incoming to the checkpoint filter
The little "o" means the packet is leaving the filter
the big "o" means the packet is hitting the wire on the interface specified