August 9th, 2002 02:49 PM
sniffer logging more packets than firewall is dropping
I'm running Ethereal, and I also have checkpoint's FW-1. I am running them on the same machine (just for testing purposes...I wouldn't do it in a production environment! ). Anyway...on Ethereal I notice 3 packets come in from the same IP going to the same service. Now on the FW, I only see one entry for that packet that is being dropped. Now the question is...why is only one entry showing up in the firewall logs? I'm taking a wild guess here, but could those 3 entries in Ethereal be fragments of one packet? Then does the firewall reassemble the packet, then just drop the one packet?
If this is the case, then how can I verify this?