Viewing Captured Packets

The Dashboard > Packet Monitor page provides three section to display different views of captured packets.

Topics:
About the Captured Packets Section
About the Packet Detail Section
About the Hex Dump Section
About the Captured Packets Section

The Captured Packets section displays the following statistics about each packet:
# - The packet number relative to the start of the capture.
Time - The date and time that the packet was captured.
Ingress - The SonicWall appliance interface on which the packet arrived is marked with an asterisk (*). The subsystem type abbreviation is shown in parentheses:
 

Ingress Subsystem Type Abbreviations

Abbreviation

Definition

i

Interface

hc

Hardware based encryption or decryption

sc

Software based encryption or decryption

m

Multicast

r

Packet reassembly

s

System stack

ip

IP helper

f

Fragmentation
Egress - The SonicWall appliance interface on which the packet was captured when sent out. The subsystem type abbreviation is shown in parentheses. See the table above for definitions of subsystem type abbreviations.
Source IP - The source IP address of the packet.
Destination IP - The destination IP address of the packet.
Ether Type - The Ethernet type of the packet from its Ethernet header.
Packet Type - The type of the packet, depending on the Ethernet type; for example:
IP packets: the packet type might be TCP, UDP, or another protocol that runs over IP.
PPPoE packets: the packet type might be PPPoE Discovery or PPPoE Session.
ARP packets: the packet type might be Request or Reply.
Ports [Src,Dst] - The source and destination TCP or UDP ports of the packet.
Status - The status field for the packet.

The status field shows the state of the packet with respect to the firewall. A packet can be dropped, generated, consumed or forwarded by the SonicWall appliance. You can position the mouse pointer over dropped or consumed packets to show the following information.

 

Status Details

Packet status

Displayed value

Definition of displayed value

Dropped

Module-ID = <integer>

Value for the protocol subsystem ID

Drop-code = <integer>

Reason for dropping the packet

Reference-ID: <code>

SonicWall-specific data

Consumed

Module-ID = <integer>

Value for the protocol subsystem ID
Length [Actual] - Length value is the number of bytes captured in the buffer for this packet. Actual value, in brackets, is the number of bytes transmitted in the packet. You can configure the number of bytes to capture. See Configuring General Settings.

You can select a packet to use as a filter by double clicking the packet. You can maneuver through the Captured Packets table by using the following keys:

 

Captured Packets Table: Keys

Key

Action

Up arrow

Go to the previous packet.

Down arrow

Go to the next packet.

Right arrow

Load the next page.

Left arrow

Load the previous page.

Page Up

Go up 9 packets

Page Down

Go down 9 packets

Home

Go to the first packet in the current page.

End

Go to the last packet in the current page.

n

Go to the next page.

p

Go to the previous page.

f

Go to the first page.

l

Go to the last page

r

Refresh the display.

c

Start capture.

s

Stop capture.
About the Packet Detail Section

When you click on a packet in the Captured Packets section, the packet header fields are displayed in the Packet Detail section. The display varies, depending on the type of packet that you select.

About the Hex Dump Section

When you click on a packet in the Captured Packets section, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump section. The hex format is shown on the left side of the window, with the corresponding ASCII characters displayed to the right for each line. When the hex value is zero, the ASCII value is displayed as a dot.