Detailed instructions for use are in the User's Guide.
[. . . ] Chapter 1:
SonicWALL Packet Monitor in SonicOS
Document Contents
This document contains the following sections:
· · · · ·
"Packet Monitor Overview" on page 2 "Configuring Packet Monitor" on page 6 "Using Packet Monitor and Packet Mirror" on page 17 "Verifying Packet Monitor Activity" on page 22 "Related Information" on page 26
SonicWALL Packet Monitor Feature Module
1
Packet Monitor Overview
Packet Monitor Overview
This section provides an introduction to the SonicOS Enhanced packet monitor feature. This section contains the following subsections:
· · · · ·
"What is Packet Monitor?" on page 2 "Benefits of Packet Monitor" on page 2 "How Does Packet Monitor Work?" on page 3 "What is Packet Mirror?" on page 4 "How Does Packet Mirror Work?" on page 5
What is Packet Monitor?
Packet monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWALL firewall appliance. Addressing information from the packet header includes the following:
· · · · · · · ·
Interface identification MAC addresses Ethernet type Internet Protocol (IP) type Source and destination IP addresses Port numbers L2TP payload details PPP negotiations details
You can configure the packet monitor feature in the SonicOS Enhanced management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets.
Benefits of Packet Monitor
The SonicOS Enhanced packet monitor feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). [. . . ] Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS Enhanced. In the IP Type(s) box, enter the IP packet types for which you want to display packets, or use the negative format (!UDP) to display packets of all IP types except those specified. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. In the Source IP Address(es) box, type the IP addresses from which you want to display packets, or use the negative format (!10. 1. 2. 3) to display packets captured from all source addresses except those specified.
Step 4
Step 5
Step 6
10
SonicWALL Packet Monitor Feature Module
Configuring Packet Monitor
Step 7
In the Source Port(s) box, type the port numbers from which you want to display packets, or use the negative format (!25) to display packets captured from all source ports except those specified. In the Destination IP Address(es) box, type the IP addresses for which you want to display packets, or use the negative format (!10. 1. 2. 3) to display packets with all destination addresses except those specified. In the Destination Port(s) box, type the port numbers for which you want to display packets, or use the negative format (!80) to display packets with all destination ports except those specified. information in each captured packet, select the Enable Bidirectional Address and Port Matching checkbox.
Step 8
Step 9
Step 10 To match the values in the source and destination fields against either the source or destination
Step 11 To display captured packets that the SonicWALL appliance forwarded, select the Forwarded
checkbox.
Step 12 To display captured packets that the SonicWALL appliance generated, select the Generated
checkbox.
Step 13 To display captured packets that the SonicWALL appliance consumed, select the Consumed
checkbox.
Step 14 To display captured packets that the SonicWALL appliance dropped, select the Dropped
checkbox.
Step 15 To save your settings and exit the configuration window, click OK.
Configuring Logging Settings
This section describes how to configure Packet Monitor logging settings. These settings provide a way to configure automatic logging of the capture buffer to an external FTP server. When the buffer fills up, the packets are transferred to the FTP server. If you configure automatic FTP logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps. To configure logging settings, perform the following steps:
Step 1
Navigate to the System > Packet Monitor page and click Configure.
SonicWALL Packet Monitor Feature Module
11
Configuring Packet Monitor
Step 2
In the Packet Monitor Configuration window, click the Logging tab.
Step 3
In the FTP Server IP Address box, type the IP address of the FTP server.
Note
Make sure that the FTP server IP address is reachable by the SonicWALL appliance. An IP address that is reachable only via a VPN tunnel is not supported. In the Login ID box, type the login name that the SonicWALL appliance should use to connect to the FTP server. In the Password box, type the password that the SonicWALL appliance should use to connect to the FTP server. In the Directory Path box, type the directory location for the transferred files. The files are written to this location relative to the default FTP root directory. For libcap format, files are named "packet-log--<>. cap", where the <> contains a run number and date including hour, month, day, and year. For HTML format, file names are in the form: "packet-log_h-<>. html". To enable automatic transfer of the capture file to the FTP server when the buffer is full, select the Log To FTP Server Automatically checkbox. To enable transfer of the file in HTML format as well as libcap format, select the Log HTML File Along With . cap File (FTP). [. . . ] When the hex value is zero, the ASCII value is displayed as a dot.
SonicWALL Packet Monitor Feature Module
21
Verifying Packet Monitor Activity
Verifying Packet Monitor Activity
This section describes how to tell if your packet monitor, mirroring, or FTP logging is working correctly according to the configuration. It contains the following sections:
· ·
"Understanding Status Indicators" on page 22 "Clearing the Status Information" on page 25
Understanding Status Indicators
The main Packet Monitor page displays status indicators for packet capture, mirroring, and FTP logging. Information popup tooltips are available for quick display of the configuration settings.
See the following sections:
· · · · ·
"Packet Capture Status" on page 22 "Mirroring Status" on page 23 "FTP Logging Status" on page 24 "Current Buffer Statistics" on page 24 "Current Configurations" on page 24
Packet Capture Status
The packet capture status indicator is labelled as Trace, and shows one of the following three conditions:
· · ·
Red Capture is stopped Green Capture is running and the buffer is not full Yellow Capture is running, but the buffer is full
The management interface also displays the buffer size, the number of packets captured, the percentage of buffer space used, and how much of the buffer has been lost. Lost packets occur when automatic FTP logging is turned on, but the file transfer is slow for some reason. [. . . ]