Using Packet Monitor and Packet Mirror

The other buttons and displays on this page are described in the following sections:
Starting and Stopping Packet Capture
Starting and Stopping Packet Mirror
Logging to an FTP Server
Viewing Captured Packets

Starting and Stopping Packet Capture

You can start a packet capture that uses default settings without configuring specific criteria for packet capture, display, FTP export, and other settings. If you start a default packet capture, the Dell SonicWALL security appliance captures all packets except those for internal communication and stops when the buffer is full or when you click Stop Capture.

To start and stop Packet Monitor:
1
Navigate to the Dashboard > Packet Monitor page.

2
Optionally click Clear to set the statistics back to zero.
3
Under Packet Monitor, click Start Capture.
4
To refresh the packet displays to show new buffer data, click Refresh.
5
To stop the packet capture, click Stop Capture.

You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump sections of the Packet Monitor page. See Viewing Captured Packets .

Starting and Stopping Packet Mirror

You can start packet mirroring that uses your configured mirror settings by clicking Start Mirror. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings. Packet mirroring stops when you click Stop Mirror.

To stop and start Packet Mirror:
1
Navigate to the Dashboard > Packet Monitor page.

2
Under Packet Monitor, click Start Mirror to start mirroring packets according to your configured settings.
3
To stop mirroring packets, click Stop Mirror.

Logging to an FTP Server

To begin logging to an FTP server at any time, click Log to FTP server.

* 
NOTE: If you have not entered a valid server IP address on the Configure > Logging dialog, this message displays:

Viewing Captured Packets

The Dashboard > Packet Monitor page provides three sections to display different views of captured packets:
About the Captured Packets Display
About the Packet Detail Display
About the Hex Dump Display
About the Captured Packets Display
* 
NOTE: The Captured Packets table is best viewed with IE.

The Captured Packets section displays the following statistics about each packet:
# - The packet number relative to the start of the capture
Time - The date and time that the packet was captured
Ingress - The firewall interface on which the packet arrived is marked with an asterisk (*). The subsystem type abbreviation is shown in parentheses. Subsystem type abbreviations are defined in Table 17.
 

Table 17. Subsystem type abbreviations

Abbreviation

Definition

i

Interface

hc

Hardware based encryption or decryption

sc

Software based encryption or decryption

m

Multicast

r

Packet reassembly

s

System stack

ip

IP helper

f

Fragmentation
Egress - The firewall interface on which the packet was captured when sent out. The subsystem type abbreviation is shown in parentheses. See Table 17 for definitions of subsystem type abbreviations.
Source IP - The source IP address of the packet.
Destination IP - The destination IP address of the packet.
Ether Type - The Ethernet type of the packet from its Ethernet header.
Packet Type - The type of the packet depending on the Ethernet type, as shown in Table 18.
 

Table 18. Packet type

Ethernet type

Packet type

IP packets

TCP, UDP, or another protocol that runs over IP

PPPoE packets

PPPoE Discovery or PPPoE Session

ARP packets

Request or Reply
Ports [Src, Dst] - The source and destination TCP or UDP ports of the packet
Status - The status field for the packet

The status field shows the state of the packet with respect to the firewall. A packet can be dropped, generated, consumed or forwarded by the Dell SonicWALL security appliance. You can position the mouse pointer over dropped or consumed packets to show the information listed in Table 19.

 

Table 19. Packet status details

Packet status

Displayed value

Definition of displayed value

Dropped

Module-ID = <integer>

Value for the protocol subsystem ID

Drop-code = <integer>

Reason for dropping the packet

Reference-ID: <code>

SonicWALL-specific data

Consumed

Module-ID = <integer>

Value for the protocol subsystem ID
Length [Actual] - Length value is the number of bytes captured in the buffer for this packet. Actual value, in brackets, is the number of bytes transmitted in the packet.
Blade – The blade ID for handing this packet.
Using Keyboard Shortcuts

When you select a packet, you can use the keyboard shortcuts shown in Table 20. These shortcuts make it easy to navigate a large, multi-page display and to start/stop packet capture.

 

Table 20. Keyboard shortcuts for the Captured Packets table

Use this shortcut

To perform this action

Double click packet

Select the packet as a filter

Up arrow

Go to previous packet

Down arrow

Go to next packet

Right arrow

Load next page

Home

Go to the first packet on the current page

End

Go to the last packet on the current page

n

Go to the next page

p

Go to the previous page

f

Go to the first page

l

Go to the last page

r

Refresh the display

c

Start packet capture

s

Stop packet capture
About the Packet Detail Display

When you click on a packet in the Captured Packets section, the packet header fields are displayed in the Packet Detail section. The display varies depending on the type of packet that you select.

About the Hex Dump Display

When you click on a packet in the Captured Packets section, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump section. The hex format is shown on the left side of the dialog, with the corresponding ASCII characters displayed to the right for each line. When the hex value is zero, the ASCII value is displayed as a dot.