Dashboard_activeConnectionsMonitor

Dashboard > Connections Monitor

The Dashboard > Connections Monitor page displays details on all active connections to the firewall.

dash_connection_monitor_top.png

 

 

As you scroll down, the Active Connections Monitor table appears.

 

Filtering Connections Viewed

You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Src Interface, Dst Interface, and Protocol. Enter your filter criteria in the Connections Monitor Settings table.

The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string will look for connections matching:

Source IP AND Destination IP

Check the Group box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group next to Source IP and Destination IP, the search string will look for connections matching:

(Source IP OR Destination IP) AND Protocol

Click Apply Filter to apply the filter immediately to the Active Connections table. Click Reset to clear the filter and display the unfiltered results again.

You can export the list of active connections to a file. Click Export Results, and select if you want the results exported to a plain text file, or a Comma Separated Value (CSV) file for importing to a spreadsheet, reporting tool, or database. If you are prompted to Open or Save the file, select Save. Then enter a filename and path and click OK.

 

Dashboard > Packet Monitor

Note For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of which tab it is accessed through. For detailed overview and configuration information on Packet Monitor, refer to the System > Packet Monitor.

packet_capture_full.jpg

 

 

Using Packet Monitor and Packet Mirror

In addition to the Configure button, the top of the Dashboard > Packet Monitor page provides several buttons for general control of the packet monitor feature and display. These include the following:

Monitor All – Resets current monitor filter settings and advanced page settings so that traffic on all local interfaces is monitored. A confirmation dialog box displays when you click this button.

Monitor Default – Resets current monitor filter settings and advanced page settings to factory default settings. A confirmation dialog box displays when you click this button.

Clear – Clears the packet monitor queue and the displayed statistics for the capture buffer, mirroring, and FTP logging. A confirmation dialog box displays when you click this button.

Refresh – Refreshes the packet display windows on this page to show new buffer data.

The Dashboard > Packet Monitor page is shown below:

For an explanation of the status indicators near the top of the page, see Understanding Status Indicators.

The other buttons and displays on this page are described in the following sections:

Starting and Stopping Packet Capture

Starting and Stopping Packet Mirror

Viewing Captured Packets

Starting and Stopping Packet Capture

You can start a packet capture that uses default settings without configuring specific criteria for packet capture, display, FTP export, and other settings. If you start a default packet capture, the Dell SonicWALL network security appliance will capture all packets except those for internal communication, and will stop when the buffer is full or when you click Stop Capture.

1. Navigate to the Dashboard > Packet Monitor page.

2. Optionally click Clear to set the statistics back to zero.

3. Under Packet Monitor, click Start Capture.

4. To refresh the packet display windows to show new buffer data, click Refresh.

5. To stop the packet capture, click Stop Capture.

You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump sections of the screen. See Viewing Captured Packets.

Starting and Stopping Packet Mirror

You can start packet mirroring that uses your configured mirror settings by clicking Start Mirror. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings. Packet mirroring stops when you click Stop Mirror.

1. Navigate to the Dashboard > Packet Monitor page.

2. Under Packet Monitor, click Start Mirror to start mirroring packets according to your configured settings.

3. To stop mirroring packets, click Stop Mirror.

Viewing Captured Packets

The Dashboard > Packet Monitor page provides three windows to display different views of captured packets. The following sections describe the viewing windows:

About the Captured Packets Window

About the Packet Detail Window

About the Hex Dump Window

About the Captured Packets Window

The Captured Packets window displays the following statistics about each packet:

• # - The packet number relative to the start of the capture

• Time - The date and time that the packet was captured

• Ingress - The interface on which the packet arrived is marked with an asterisk (*). The subsystem type abbreviation is shown in parentheses. Subsystem type abbreviations are defined in the following table.

Abbreviation

Definition

i

Interface

hc

Hardware based encryption or decryption

sc

Software based encryption or decryption

m

Multicast

r

Packet reassembly

s

System stack

ip

IP helper

f

Fragmentation

 

 

 

 

• Egress - The interface on which the packet was captured when sent out

– The subsystem type abbreviation is shown in parentheses. See the table above for definitions of subsystem type abbreviations

• Source IP - The source IP address of the packet

• Destination IP - The destination IP address of the packet

• Ether Type - The Ethernet type of the packet from its Ethernet header

• Packet Type - The type of the packet depending on the Ethernet type; for example:

– For IP packets, the packet type might be TCP, UDP, or another protocol that runs over IP

– For PPPoE packets, the packet type might be PPPoE Discovery or PPPoE Session

– For ARP packets, the packet type might be Request or Reply

• Ports [Src, Dst] - The source and destination TCP or UDP ports of the packet

• Status - The status field for the packet

The status field shows the state of the packet with respect to the firewall. A packet can be dropped, generated, consumed or forwarded by the Dell SonicWALL network security appliance. You can position the mouse pointer over dropped or consumed packets to show the following information.

Packet status

Displayed value

Definition of displayed value

Dropped

Module-ID = <integer>

Value for the protocol subsystem ID

Drop-code = <integer>

Reason for dropping the packet

Reference-ID: <code>

SonicWALL-specific data

Consumed

Module-ID = <integer>

Value for the protocol subsystem ID

 

• Length [Actual] - Length value is the number of bytes captured in the buffer for this packet. Actual value, in brackets, is the number of bytes transmitted in the packet.

About the Packet Detail Window

When you click a packet in the Captured Packets window, the packet header fields are displayed in the Packet Detail window. The display will vary depending on the type of packet that you select.

About the Hex Dump Window

When you click a packet in the Captured Packets window, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump window. The hex format is shown on the left side of the window, with the corresponding ASCII characters displayed to the right for each line. When the hex value is zero, the ASCII value is displayed as a dot.

Dashboard > Log Monitor

Note For increased convenience and accessibility, the Log Monitor page can be accessed either from Dashboard > Log Monitor or Log > View. The two pages provide identical functionality. For information on using Log Monitor, see Log > Log Monitor.