SonicOS Enhanced Packet Capture Feature Enhanced Packet Capture 1 Packet Capture Document Scope This solutions document describes how to configure and use the packet capture ... • L2TP payload details

  • Published on
    29-Apr-2018

  • View
    215

  • Download
    2

Embed Size (px)

Transcript

  • Packet Capture

    Document ScopeThis solutions document describes how to configure and use the packet capture feature in SonicOS Enhanced.

    This document contains the following sections:

    Feature Overview section on page 2

    Using Packet Capture section on page 5

    Configuring Packet Capture section on page 10

    Verifying Packet Capture Activity section on page 19

    Related Information section on page 21

    Glossary section on page 24

    1SonicOS Enhanced Packet Capture

  • Feature Overview

    Feature OverviewThis section provides an introduction to the SonicOS Enhanced packet capture feature. This section contains the following subsections:

    What is Packet Capture? section on page 2

    Benefits section on page 2

    How Does Packet Capture Work? section on page 3

    What is Packet Capture?Packet capture is a mechanism that allows you to capture and examine the contents of individual data packets that traverse your SonicWALL firewall appliance. The captured packets contain both data and addressing information. The captured addressing information from the packet header includes the following:

    Interface identification

    MAC addresses

    Ethernet type

    Internet Protocol (IP) type

    Source and destination IP addresses

    Port numbers

    L2TP payload details

    PPP negotiations details

    You can configure the packet capture feature in the SonicOS Enhanced user interface (UI). The UI provides a way to configure the capture criteria, display settings, and file export settings, and displays the captured packets.

    BenefitsThe SonicOS Enhanced packet capture feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). The packet capture feature includes the following capabilities:

    Capture control mechanism with improved granularity for custom filtering

    Display filter settings independent from capture filter settings

    Packet status indicates if the packet was dropped, forwarded, generated, or consumed by the firewall

    Three-window output in the UI:

    List of packets

    Decoded output of selected packet

    Hexadecimal dump of selected packet

    Export capabilities include text or HTML format with hex dump of packets, plus CAP file format

    Automatic export to FTP server when the buffer is full

    Bidirectional packet capture based on IP address and port

    Configurable wrap-around of packet capture buffer when full

    2 SonicOS Enhanced Packet Capture

  • Feature Overview

    How Does Packet Capture Work?As an administrator, you can configure the general settings, capture filter, display filter, advanced settings, and FTP settings of the packet capture tool. As network packets enter the packet capture subsystem, the capture filter settings are applied and the resulting packets are written to the capture buffer. The display filter settings are applied as you view the buffer contents in the UI. You can log the capture buffer to view in the UI, or you can configure automatic transfer to the FTP server when the buffer is full.

    Default settings are provided so that you can start using packet capture without configuring it first. The basic functionality is as follows:

    Start: Click Start to begin capturing all packets except those used for communication between the SonicWALL appliance and the UI on your console system.

    Stop: Click Stop to stop the packet capture.

    Reset: Click Reset to clear the status counters that are displayed at the top of the Packet Capture page.

    Refresh: Click Refresh to display new buffer data in the Captured Packets window. You can then click any packet in the window to display its header information and data in the Packet Detail and Hex Dump windows.

    Export As: Display or save a snapshot of the current buffer in the file format that you select from the drop-down list. Saved files are placed on your local management system (where the UI is running). Choose from the following formats:

    CAP - Select CAP format if you want to view the data with the Wireshark network protocol analyzer. This is also known as libcap or pcap format. A dialog box allows you to open the buffer file with Wireshark, or save it to your local hard drive with the extension .pcap.

    HTML - Select HTML to view the data with a browser. You can use File > Save As to save a copy of the buffer to your hard drive.

    Text - Select Text to view the data in a text editor. A dialog box allows you to open the buffer file with the registered text editor, or save it to your local hard drive with the extension .wri.

    3SonicOS Enhanced Packet Capture

  • Feature Overview

    Refer to Figure 1 to see a high level view of the packet capture subsystem. This shows the different filters and how they are applied.

    Figure 1 High Level Packet Capture on Subsystem View

    4 SonicOS Enhanced Packet Capture

  • Using Packet Capture

    Using Packet CaptureThis section contains the following subsections:

    Accessing Packet Capture in the UI section on page 5

    Starting and Stopping Packet Capture section on page 6

    Viewing the Captured Packets section on page 6

    Accessing Packet Capture in the UIThis section describes how to access the packet capture tool in the SonicOS UI. There are two ways to access the Packet Capture screen.

    Step 1 Log in to the SonicOS UI as admin.

    Step 2 To go directly to the Packet Capture screen, in the left pane, under System, click Packet Capture.

    Figure 2 Packet Capture Screen

    Step 3 Alternatively, to access packet capture from the Diagnostics screen, in the left pane, under System, click Diagnostics.

    Step 4 In the right pane, in the Diagnostic Tool list, click Packet Capture.

    5SonicOS Enhanced Packet Capture

  • Using Packet Capture

    Starting and Stopping Packet CaptureThe Packet Capture screen has buttons for starting and stopping a packet capture. You can start a packet capture that uses default settings without configuring specific criteria for packet capture, display, FTP export, and other settings. If you start a default packet capture, the SonicWALL appliance will capture all packets except those for internal communication, and will stop when the buffer is full or when you click Stop.

    Starting Packet Capture

    Step 1 Navigate to the Packet Capture page in the UI.

    See Accessing Packet Capture in the UI on page 5.

    Step 2 Under Packet Capture, optionally click Reset.

    The Packet Capture page displays several lines of statistics above the Start and Stop buttons. You can click Reset to set the statistics back to zero.

    Step 3 Under Packet Capture, click Start.

    Step 4 To refresh the packet display windows to show new buffer data, click Refresh.

    You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump sections of the screen. See Viewing the Captured Packets on page 6.

    Stopping Packet Capture

    Step 1 Navigate to the Packet Capture page in the UI.

    See Accessing Packet Capture in the UI on page 5.

    Step 2 Under Packet Capture, click Stop.

    Viewing the Captured PacketsThe UI provides three windows to display different views of the captured packets. The following sections describe the viewing windows:

    About the Captured Packets Window on page 6

    About the Packet Detail Window on page 8

    About the Hex Dump Window on page 9

    About the Captured Packets WindowThe Captured Packets window displays the following statistics about each packet:

    # - The packet number relative to the start of the capture

    Time - The date and time that the packet was captured

    Ingress - The SonicWALL appliance interface on which the packet arrived is marked with an asterisk (*). The subsystem type abbreviation is shown in parentheses. Subsystem type abbreviations are defined in Table 1.

    6 SonicOS Enhanced Packet Capture

  • Using Packet Capture

    Table 1 Subsystem Types

    Figure 3 Captured Packets Window

    Egress - The SonicWALL appliance interface on which the packet was captured when sent out

    The subsystem type abbreviation is shown in parentheses. See Table 1 for definitions of subsystem type abbreviations.

    Source IP - The source IP address of the packet

    Destination IP - The destination IP address of the packet

    Ether Type - The Ethernet type of the packet from its Ethernet header

    Packet Type - The type of the packet depending on the Ethernet type; for example:

    For IP packets, the packet type might be TCP, UDP, or another protocol that runs over IP

    For PPPoE packets, the packet type might be PPPoE Discovery or PPPoE Session

    For ARP packets, the packet type might be Request or Reply

    Ports [Src,Dst] - The source and destination TCP or UDP ports of the packet

    Status - The status field for the packet

    Abbreviation Definitioni Interface

    hc Hardware based encryption or decryption

    sc Software based encryption or decryption

    m Multicast

    r Packet reassembly

    s System stack

    ip IP helper

    f Fragmentation

    7SonicOS Enhanced Packet Capture

  • Using Packet Capture

    The status field shows the state of the packet with respect to the firewall. A packet can be dropped, generated, consumed or forwarded by the SonicWALL appliance. You can position the mouse pointer over dropped or consumed packets to show the following information.

    Length [Actual] - Length value is the number of bytes captured in the buffer for this packet. Actual value, in bra

Recommended

View more >