One of our readers, Jeff Peterson, submitted to us a packet capture that was coming from a newly built Checkpoint Firewall, Build 244 . Here is what he observed in his own words:

I'm not familiar with Checkpoint software distribution labeling. The only times I've done Checkpoint installs have been in concert with someone manning the preparation end, and always over a network using Jumpstart. Is there anymore identifying information beyond "Build 244" present?

Things that would be helpful to any reasonable analysis:

** Most likely to require a NDA:

1) Disk images of the original software CDs.
2) Information about who the software was shipped to.
3) Postage tracking information contained on the packaging of the software distribution. Scans of the shipping package would be a good start.

** Something Jeff Peterson could make public:

4) Comparison of "Build 244" in this case to other known "Build 244" distributions. Publishing MD5SUM of "Build 244" CDs in question would be enough to further that process.
5) Anything that could place "Build 224" to a time of creation.

Update: Keep in mind, that the destination IPs of the packets are not of (paramount) importance. Any network that either holds in common in its routing over the Internet would be the most interesting point of attention. If a packet traverses over a network, or hits the border of a network, it is visible, and hence identifiable based upon its destination address. Take a look and see the results in this situation...

RE: Check Point Outbound Traffic Mystery (Build 244)