>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: 7. mars 2001 23:24
>To: FW1-MailingList (E-mail)
>Subject: [FW1] Active connections
>
>
>
>Hi everybody,
>
>Is there any checkpoint command which can give me the active >connections
as well as the type of these connections. For >example are they http, ftp,
ssl, smtp etc..
>Is look like that ./fw tab -s connections -t command is giving only
virtual connections
>
>I'll appreciate any suggestions
>Thanks
>
>Kiril
You should be able to use the output of the fw tab -t connections - command.
Below you will find an explanation on how you should read the output. Hope
that will help you.
/erik
*********************cut/paste check point ATRG41*********************
The basic structure of a connection in a table entry
Many tables store entries that represent connections. In those tables, the
first five fields follow a common standard. An example of these five fields
is shown below along with the meaning of each field.. Other connections in
other tables will, in most cases, contain the same five key fields but will
store different field values. These first five fields are known as the "key"
part of the table entry.
<c7cb4764, 0000008a, c7cb47ff, 00000050, 00000006 ... >
Field Example value Description
1 c7cb4764 Source IP address
2 0000008a Source port
3 c7cb47ff Destination IP address
4 00000050 Destination port
5 00000006 IP protocol number, as defined in RFC 1700 (11 -
UDP, 6 - TCP 1 - ICMP...)
Note: FireWall-1 is able to search on the "key" entries of the table.
connections table
The connections table contains data on all active connections.
Example
attributes: refresh, expires 60, expcall 133279992 4, implies 2, kbuf 1,
hashsize 8192
<c7cb4764, 0000008a, c7cb47ff, 00000000, 00000011; 00000000, 00000002,
00000000; 39/40>
<c7cb4765, 0000008a, c7cb47ff, 00000000, 00000011; 00000000, 00000002,
00000000; 37/40>
The connections table uses the following format:
Field Example value Description
1. c7cb4764 source IP address
2. 0000008a source port
3. c7cb47ff destination IP address
4. 00000000 destination port
5. 00000011 IP protocol
6. 00000000 r_ckey.
This field is a pointer to the encryption key if the connection is
encrypted, otherwise it is NULL
7. 00000002 r_ctype. Described below
8. 00000000 r_cflags. Described below
9. 39/40 time left/total time. There are x of y seconds left until
the entry times out and is deleted from the table
r_ctype
The r_ctype field contains eight hexadecimal digits in the form 0000klmn.
The last four digits of the value are interpreted using the tables below.
Value of 'n' Description
1 TCP connection
2 UDP connection
3 Connection is encrypted
4 Reverse connection is encrypted
Value of 'm' Description
0 Other
8 IPSec connection
Value of 'l' Description
0 Match by protocol (the most common value)
1 Match by offset (never used)
2 Match by RPC (for RPC connections)
3 Match by getport (for RPC connections)
4 Match by callit (for RPC connections)
5 Match by seq/ack change (for encrypted/NATed connections
where the SEQ/ACK numbers may be changed.
Digit 'k' is interpreted as four binary digits of the form 0xyz. If a bit in
any position is set to 1, the
corresponding value in the table below is assumed.
Bit of digit 'k' Description
0 First bit is always 0
x Established TCP connection
y FIN sent in reverse connection (by the destination)
z FIN sent in forward connection (by the source)
r_cflags
The r_cflags field contains eight hexadecimal digits that should be
interpreted as four bytes of the form ghij. The values of g, h, i and j are
interpreted using the tables below. Byte j is interpreted as eight binary
digits of the form PQRSTUVW. If a bit in any position is set to 1, the
corresponding value in the table below is assumed.
Bit of byte 'j' Description
P Accounting flag (0 if the connection has no accounting)
Q Accounting flag (0 if the connection has no accounting)
R Accounting flag (0 if the connection has no accounting)
S More inspection needed for this connection (has prologue)
T Reverse connection accepted without going through Rule Base
U Connection accepted without going through Rule Base
V One way connection (only the destination sends data)
W One way connection (only the source sends data)
Byte i may have the following values:
Hexadecimal value Description
0x66, 0x67 IIOP connections
0x82 clear FTP PORT command
0x83 encrypted FTP PORT command
0x84 FTP PASV command
0x86 RSH stderr connection
0x88 H.245 connection
Hexadecimal value Description
0x90, 0x91, 0x92, 0x93, 0x94, 0x95 Xtreme connections
0xa1 VDOlive connection
0xa3, 0xa4, 0xa5 RealAudio / RTSP connections
0xa8 RTP connection
0xaa NetShow connection
0x00 Any other connection
Byte h holds the interface ID (the number of the interface in "fw ctl
iflist") of the interface in the direction of the destination. Byte g holds
the interface ID (the number of the interface in "fw ctl iflist") of the
interface in the direction of the source.
*****************************************end********************************
**********
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
