Packet monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWALL firewall appliance. Packets can be either monitored or mirrored. The monitored packets contain both data and addressing information. Addressing information from the packet header includes the following:
You can configure the packet monitor feature in the SonicOS management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets.
The SonicOS packet monitor feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). Packet monitor includes the following features:
As an administrator, you can configure the general settings, monitor filter, display filter, advanced filter settings, and FTP settings of the packet monitor tool. As network packets enter the packet monitor subsystem, the monitor filter settings are applied and the resulting packets are written to the capture buffer. The display filter settings are applied as you view the buffer contents in the management interface. You can log the capture buffer to view in the management interface, or you can configure automatic transfer to the FTP server when the buffer is full.
These default settings are provided so that you can start using packet monitor without configuring it first:
To see a high-level view of the packet monitor subsystem showing the different filters and how they are applied, see Figure 2.
Figure 2. Packet monitor subsystem showing filters
Packet mirroring is the process of sending a copy of packets seen on one interface to another interface or to a remote SonicWALL appliance.
There are two aspects of mirroring:
|
•
|
Classification – Refers to identifying a selected set of packets to be mirrored. Incoming and outgoing packets to and from an interface are matched against a filter. If matched, the mirror action is applied.
|
|
•
|
Action – Refers to sending a copy of the selected packets to a port or a remote destination. Packets matching a classification filter are sent to one of the mirror destinations. A particular mirror destination is part of the action identifier.
|
Every classification filter is associated with an action identifier. Up to two action identifiers can be defined, supporting two mirror destinations (a physical port on the same firewall and/or a remote SonicWALL firewall). The action identifiers determine how a packet is mirrored. The following types of action identifiers are supported:
Classification is performed on the Monitor Filter and Advanced Monitor Filter tab of the Packet Monitor Configuration dialog.
A local Sonicwall firewall can be configured to receive remotely mirrored traffic from a remote SonicWALL firewall. At the local firewall, received mirrored traffic can either be saved in the capture buffer or sent to another local interface. This is configured in the Remote Mirror Settings (Receiver) section on the Mirror tab of the Packet Monitor Configuration dialog.
SonicOS supports the following packet mirroring options: