How to interpret fw monitor output files in Wireshark

By default, Wireshark provides 3 windows. The top window is the frame summary window where frame data is summarized. The middle window is the protocol window where protocol decoding is performed. The bottom window is the raw frame data. "FW-1 monitor if/direction" data can be displayed in each of these windows.

By default, this information is displayed in the raw frame data. It is located at the beginning of the frame, so look at the beginning of the ASCII part. For example, you might something like "i1eth-s3 p4c0..E.".

This isn't very easy to read.

A better approach is the enable protocol decoding.

1) Select Edit > Preferences to bring up the preferences window.

2) Under Protocols, select Ethernet . Enable "Attempt to interpret as FireWall-1 monitor file".

3) Click Apply and Ok

There will now be a "FW1 Monitor" protocol decoding between "Frame" and "Internet Protocol".

If you enabled "Attempt to interpret as FireWall-1 monitor file", you can also add a column to the frame summary. This is optional.

1) Select Edit > Preferences to bring up the preferences window.

2) Under the User Interface select Columns.

3) Click the "new" button to add a new column

4) For the Title, use whatever you want, e.g. "FW-1".

5) For the Format, select "FW-1 monitor if/direction".

6) Click Apply and Ok

There will now be a "FW-1" column in the frame summary window.