User manual SONICWALL SONICOS 5.8 PACKET MONITOR FEATURE MODULE REV A

[. . . ] Chapter 1: SonicWALL Packet Monitor in SonicOS Document Contents This document contains the following sections: · · · · · "Packet Monitor Overview" on page 2 "Configuring Packet Monitor" on page 6 "Using Packet Monitor and Packet Mirror" on page 17 "Verifying Packet Monitor Activity" on page 22 "Related Information" on page 26 SonicWALL Packet Monitor Feature Module 1 Packet Monitor Overview Packet Monitor Overview This section provides an introduction to the SonicOS Enhanced packet monitor feature. This section contains the following subsections: · · · · · "What is Packet Monitor?" on page 2 "Benefits of Packet Monitor" on page 2 "How Does Packet Monitor Work?" on page 3 "What is Packet Mirror?" on page 4 "How Does Packet Mirror Work?" on page 5 What is Packet Monitor? Packet monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWALL firewall appliance. Addressing information from the packet header includes the following: · · · · · · · · Interface identification MAC addresses Ethernet type Internet Protocol (IP) type Source and destination IP addresses Port numbers L2TP payload details PPP negotiations details You can configure the packet monitor feature in the SonicOS Enhanced management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets. Benefits of Packet Monitor The SonicOS Enhanced packet monitor feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). [. . . ] Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS Enhanced. In the IP Type(s) box, enter the IP packet types for which you want to display packets, or use the negative format (!UDP) to display packets of all IP types except those specified. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. In the Source IP Address(es) box, type the IP addresses from which you want to display packets, or use the negative format (!10. 1. 2. 3) to display packets captured from all source addresses except those specified. Step 4 Step 5 Step 6 10 SonicWALL Packet Monitor Feature Module Configuring Packet Monitor Step 7 In the Source Port(s) box, type the port numbers from which you want to display packets, or use the negative format (!25) to display packets captured from all source ports except those specified. In the Destination IP Address(es) box, type the IP addresses for which you want to display packets, or use the negative format (!10. 1. 2. 3) to display packets with all destination addresses except those specified. In the Destination Port(s) box, type the port numbers for which you want to display packets, or use the negative format (!80) to display packets with all destination ports except those specified. information in each captured packet, select the Enable Bidirectional Address and Port Matching checkbox. Step 8 Step 9 Step 10 To match the values in the source and destination fields against either the source or destination Step 11 To display captured packets that the SonicWALL appliance forwarded, select the Forwarded checkbox. Step 12 To display captured packets that the SonicWALL appliance generated, select the Generated checkbox. Step 13 To display captured packets that the SonicWALL appliance consumed, select the Consumed checkbox. Step 14 To display captured packets that the SonicWALL appliance dropped, select the Dropped checkbox. Step 15 To save your settings and exit the configuration window, click OK. Configuring Logging Settings This section describes how to configure Packet Monitor logging settings. These settings provide a way to configure automatic logging of the capture buffer to an external FTP server. When the buffer fills up, the packets are transferred to the FTP server. If you configure automatic FTP logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps. To configure logging settings, perform the following steps: Step 1 Navigate to the System > Packet Monitor page and click Configure. SonicWALL Packet Monitor Feature Module 11 Configuring Packet Monitor Step 2 In the Packet Monitor Configuration window, click the Logging tab. Step 3 In the FTP Server IP Address box, type the IP address of the FTP server. Note Make sure that the FTP server IP address is reachable by the SonicWALL appliance. An IP address that is reachable only via a VPN tunnel is not supported. In the Login ID box, type the login name that the SonicWALL appliance should use to connect to the FTP server. In the Password box, type the password that the SonicWALL appliance should use to connect to the FTP server. In the Directory Path box, type the directory location for the transferred files. The files are written to this location relative to the default FTP root directory. For libcap format, files are named "packet-log--<>. cap", where the <> contains a run number and date including hour, month, day, and year. For HTML format, file names are in the form: "packet-log_h-<>. html". To enable automatic transfer of the capture file to the FTP server when the buffer is full, select the Log To FTP Server Automatically checkbox. To enable transfer of the file in HTML format as well as libcap format, select the Log HTML File Along With . cap File (FTP). [. . . ] When the hex value is zero, the ASCII value is displayed as a dot. SonicWALL Packet Monitor Feature Module 21 Verifying Packet Monitor Activity Verifying Packet Monitor Activity This section describes how to tell if your packet monitor, mirroring, or FTP logging is working correctly according to the configuration. It contains the following sections: · · "Understanding Status Indicators" on page 22 "Clearing the Status Information" on page 25 Understanding Status Indicators The main Packet Monitor page displays status indicators for packet capture, mirroring, and FTP logging. Information popup tooltips are available for quick display of the configuration settings. See the following sections: · · · · · "Packet Capture Status" on page 22 "Mirroring Status" on page 23 "FTP Logging Status" on page 24 "Current Buffer Statistics" on page 24 "Current Configurations" on page 24 Packet Capture Status The packet capture status indicator is labelled as Trace, and shows one of the following three conditions: · · · Red ­ Capture is stopped Green ­ Capture is running and the buffer is not full Yellow ­ Capture is running, but the buffer is full The management interface also displays the buffer size, the number of packets captured, the percentage of buffer space used, and how much of the buffer has been lost. Lost packets occur when automatic FTP logging is turned on, but the file transfer is slow for some reason. [. . . ]