Packet Monitor Overview

•	What is Packet Monitor?

•	Benefits of Packet Monitor

•	How Does Packet Monitor Work?

•	What is Packet Mirror?

•	How Does Packet Mirror Work?

What is Packet Monitor?

Packet monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWALL firewall appliance. Packets can be either monitored or mirrored. The monitored packets contain both data and addressing information. Addressing information from the packet header includes the following:

•	Interface identification

•	MAC addresses

•	Ethernet type

•	Internet Protocol (IP) type

•	Source and destination IP addresses

•	Port numbers

•	L2TP payload details

•	PPP negotiations details

You can configure the packet monitor feature in the SonicOS management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets.

Benefits of Packet Monitor

The SonicOS packet monitor feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). Packet monitor includes the following features:

•	Control mechanism with improved granularity for custom filtering (Monitor Filter)

•	Display filter settings independent from monitor filter settings

•	Packet status indicates if the packet was dropped, forwarded, generated, or consumed by the firewall

•	Three output displays in the management interface:

•	List of packets

•	Decoded output of selected packet

•	Hexadecimal dump of selected packet

•	Export capabilities include text or HTML format with hex dump of packets, plus CAP file format

•	Automatic export to FTP server when the buffer is full

•	Bidirectional packet monitor based on IP address and port

•	Configurable wrap-around of packet monitor buffer when full

How Does Packet Monitor Work?

As an administrator, you can configure the general settings, monitor filter, display filter, advanced filter settings, and FTP settings of the packet monitor tool. As network packets enter the packet monitor subsystem, the monitor filter settings are applied and the resulting packets are written to the capture buffer. The display filter settings are applied as you view the buffer contents in the management interface. You can log the capture buffer to view in the management interface, or you can configure automatic transfer to the FTP server when the buffer is full.

Default settings are provided so that you can start using packet monitor without configuring it first. The basic functionality is as follows:

 

Table 15. Packets: Basic functionality

Start:	Click Start Capture to begin capturing all packets except those used for communication between the firewall and the management interface on your console system.
Stop:	Click Stop Capture to stop the packet capture.
Clear:	Click Clear to clear the status counters that are displayed at the top of the Packet Monitor page.
Refresh:	Click Refresh to display new buffer data in the Captured Packets window. You can then click any packet in the window to display its header information and data in the Packet Detail and Hex Dump windows.
Export As:	Display or save a snapshot of the current buffer in the file format that you select from the drop-down list. Saved files are placed on your local management system (where the management interface is running). Choose from the following formats: • Libpcap - Select Libpcap format if you want to view the data with the Wireshark (formerly Ethereal) network protocol analyzer. This is also known as libcap or pcap format. A dialog allows you to open the buffer file with Wireshark, or save it to your local hard drive with the extension .pcap. • Html - Select Html to view the data with a browser. You can use File > Save As to save a copy of the buffer to your hard drive. • Text - Select Text to view the data in a text editor. A dialog allows you to open the buffer file with the registered text editor, or save it to your local hard drive with the extension .wri. • App Data - Select App Data to view only application data contained in the packet. Packets containing no application data are skipped during the capture. Application data = captured packet minus L2, L3, and L4 headers.

Refer to the figure below to see a high level view of the packet monitor subsystem. This shows the different filters and how they are applied.

Figure 2. Packet monitor subsystem showing filters

What is Packet Mirror?

Packet mirroring is the process of sending a copy of packets seen on one interface to another interface or to a remote SonicWALL appliance.

There are two aspects of mirroring:

Classification – Refers to identifying a selected set of packets to be mirrored. Incoming and outgoing packets to and from an interface are matched against a filter. If matched, the mirror action is applied.

Action – Refers to sending a copy of the selected packets to a port or a remote destination. Packets matching a classification filter are sent to one of the mirror destinations. A particular mirror destination is part of the action identifier.

How Does Packet Mirror Work?

Every classification filter is associated with an action identifier. Up to two action identifiers can be defined, supporting two mirror destinations (a physical port on the same firewall and/or a remote SonicWALL firewall). The action identifiers determine how a packet is mirrored. The following types of action identifiers are supported:

•	Send a copy to a physical port.

•	Encapsulate the packet and send it to a remote SonicWALL appliance.

•	Send a copy to a physical port with a VLAN configured.

Classification is performed on the Monitor Filter and Advanced Monitor Filter tab of the Packet Monitor Configuration window.

A local Sonicwall firewall can be configured to receive remotely mirrored traffic from a remote SonicWALL firewall. At the local firewall, received mirrored traffic can either be saved in the capture buffer or sent to another local interface. This is configured in the Remote Mirror Settings (Receiver) section on the Mirror tab of the Packet Monitor Configuration window.

SonicOS supports the following packet mirroring options:

•	Mirror packets to a specified interface (Local Mirroring).

•	Mirror only selected traffic.

•	Mirror SSL decrypted traffic.

•	Mirror complete packets including Layer 2 and Layer 3 headers as well as the payload.

•	Mirror packets to a remote firewall (Remote Mirroring Tx).

•	Receive mirrored packets from a remote SonicWALL appliance (Remote Mirroring Rx).