This chapter contains the following sections:
This section provides an introduction to the SonicOS Enhanced packet monitor feature. This
section contains the following subsections:
Packet monitor is a mechanism that allows you to monitor individual data packets that traverse
your SonicWALL firewall appliance. Packets can be either monitored or mirrored. The monitored packets contain both data and addressing information. Addressing information from the packet header includes the following:
You can configure the packet monitor feature in the SonicOS Enhanced management interface.
The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets.
The SonicOS Enhanced packet monitor feature provides the functionality and flexibility that you
need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). Packet monitor includes the following features:
As an administrator, you can configure the general settings, monitor filter, display filter,
advanced filter settings, and FTP settings of the packet monitor tool. As network packets enter the packet monitor subsystem, the monitor filter settings are applied and the resulting packets are written to the capture buffer. The display filter settings are applied as you view the buffer contents in the management interface. You can log the capture buffer to view in the management interface, or you can configure automatic transfer to the FTP server when the buffer is full.
Default settings are provided so that you can start using packet monitor without configuring it
first. The basic functionality is as follows:
|
Start
:
|
Click
Start Capture
to begin capturing all packets except those used for communication between the SonicWALL appliance and the management interface on your console system.
|
|
Stop
:
|
Click
Stop Capture
to stop the packet capture.
|
|
Clear
:
|
Click
Clear
to clear the status counters that are displayed at the top of the Packet Monitor page.
|
|
Refresh
:
|
Click Refresh to display new buffer data in the Captured Packets window. You
can then click any packet in the window to display its header information and data in the Packet Detail and Hex Dump windows.
|
|
Export As
:
|
Display or save a snapshot of the current buffer in the file format that you select
from the drop-down list. Saved files are placed on your local management system (where the management interface is running). Choose from the following formats:
|
|
•
|
Libpcap
- Select Libpcap format if you want to view the data with the Wireshark (formerly Ethereal) network protocol analyzer. This is also known as libcap or pcap format. A dialog box allows you to open the buffer file with Wireshark, or save it to your local hard drive with the extension .pcap
.
|
|
|
•
|
Html
- Select Html to view the data with a browser. You can use File > Save As to save a copy of the buffer to your hard drive.
|
|
|
•
|
Text
- Select Text to view the data in a text editor. A dialog box allows you to open the buffer file with the registered text editor, or save it to your local hard drive with the extension .wri
.
|
|
|
•
|
App Data
- Select App Data to view only application data contained in the packet. Packets containing no application data are skipped during the capture. Application data = captured packet minus L2, L3, and L4 headers.
|
|
Refer to the figure below to see a high level view of the packet monitor subsystem. This shows
the different filters and how they are applied.
Packet mirroring is the process of sending a copy of packets seen on one interface to another
interface or to a remote SonicWALL appliance.
There are two aspects of mirroring:
Classification
– Refers to identifying a selected set of packets to be mirrored. Incoming and outgoing packets to and from an interface are matched against a filter. If matched, the mirror action is applied.
Action
– Refers to sending a copy of the selected packets to a port or a remote destination. Packets matching a classification filter are sent to one of the mirror destinations. A particular mirror destination is part of the action identifier.
On all SonicWALL NSA Series appliances running SonicOS Enhanced 5.6 or higher, packet
mirroring is fully supported.
On SonicWALL TZ Series appliances running SonicOS Enhanced 5.6 or higher, packet
mirroring is partially supported, as follows:
Every classification filter is associated with an action identifier. Up to two action identifiers can
be defined, supporting two mirror destinations (a physical port on the same firewall and/or a remote SonicWALL firewall). The action identifiers determine how a packet is mirrored. The following types of action identifiers are supported:
Classification is performed on the
Monitor Filter
and Advanced Monitor Filter
tab of the Packet Monitor Configuration window.
A local Sonicwall firewall can be configured to receive remotely mirrored traffic from a remote
SonicWALL firewall. At the local firewall, received mirrored traffic can either be saved in the capture buffer or sent to another local interface. This is configured in the Remote Mirror
Settings (Receiver)
section on the Mirror
tab of the Packet Monitor Configuration window.
SonicOS Enhanced 5.6 and higher supports the following packet mirroring options:
You can access the packet monitor tool on the
Dashboard > Packet Monitor
page of the SonicOS management interface. There are six main areas of configuration for packet monitor, one of which is specifically for packet mirror. The following sections describe the configuration options, and provide procedures for accessing and configuring the filter settings, log settings, and mirror settings:
This section describes how to configure packet monitor general settings, including the number
of bytes to capture per packet and the buffer wrap option. You can specify the number of bytes using either decimal or hexadecimal, with a minimum value of 64. The buffer wrap option enables the packet capture to continue even when the buffer becomes full, by overwriting the buffer from the beginning.
To configure the general settings, perform the following steps:
|
Step 1
|
Navigate to the
Dashboard > Packet Monitor
page and click Configure
.
|
|
Step 2
|
In the
Packet Monitor Configuration
window, click the Settings
tab.
|
|
Step 3
|
Under General Settings in the
Number of Bytes To Capture (per packet)
box, type the number of bytes to capture from each packet. The minimum value is 64.
|
|
Step 4
|
To continue capturing packets after the buffer fills up, select the
Wrap Capture Buffer Once
Full
checkbox. Selecting this option will cause packet capture to start writing captured packets at the beginning of the buffer again after the buffer fills. This option has no effect if FTP server logging is enabled on the Logging
tab, because the buffer is automatically wrapped when FTP is enabled.
|
|
Step 5
|
Under Exclude Filter, select the
Exclude encrypted GMS traffic
to prevent capturing or mirroring of encrypted management or syslog traffic to or from SonicWALL GMS. This setting only affects encrypted traffic within a configured primary or secondary GMS tunnel. GMS management traffic is not excluded if it is sent via a separate tunnel.
|
|
Step 6
|
Use the
Exclude Management Traffic
settings to prevent capturing or mirroring of management traffic to the appliance. Select the checkbox for each type of traffic (HTTP/
HTTPS
, SNMP
, or SSH
) to exclude. If management traffic is sent via a tunnel, the packets are not excluded.
|
|
Step 7
|
Use the
Exclude Syslog Traffic to
settings to prevent capturing or mirroring of syslog traffic to the logging servers. Select the checkbox for each type of server (Syslog Servers
or GMS
Server
) to exclude. If syslog traffic is sent via a tunnel, the packets are not excluded.
|
|
Step 8
|
Use the
Exclude Internal Traffic for
settings to prevent capturing or mirroring of internal traffic between the SonicWALL appliance and its High Availability partner or a connected SonicPoint. Select the checkbox for each type of traffic (HA
or SonicPoint
) to exclude.
|
The Packet Monitor and Flow Reporting features allow traffic to be monitored based on firewall
rules for specific inbound or outbound traffic flows. This feature set is enabled by choosing to monitor flows in the Firewall > Access Rules
area of the SonicOS management interface.
To configure the general settings, perform the following steps:
|
Step 1
|
Navigate to the
Firewall > Access Rules
page and click Configure
icon for the rule(s) you wish to enable packet monitoring or flow reporting on.
|
|
Step 2
|
Select the
Enable packet monitor
checkbox to send packet monitoring statistics for this rule.
|
|
Step 3
|
Click the
OK
button to save your changes.
|
All filters set on this page are applied to both packet capture and packet mirroring. To configure
Monitor Filter settings, complete the following steps:
|
Step 1
|
Navigate to the
Dashboard > Packet Monitor
page and click Configure
.
|
|
Step 2
|
In the
Packet Monitor Configuration
window, click the Monitor Filter
tab.
|
|
Step 3
|
Choose to
Enable filter based on the firewall rule
if you are using firewall rules to capture specific traffic.
|
|
|
•
|
Interface Name(s)
- You can specify up to ten interfaces separated by commas. Refer to the Network > Interfaces screen in the management interface for the available interface names. You can use a negative value to configure all interfaces except the one(s) specified; for example: !X0, or !LAN.
|
|
|
•
|
Ether Type(s)
- You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. This option is not case-sensitive. For example, to capture all supported types, you could enter: ARP, IP, PPPOE. You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE. You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS Enhanced. See “Supported Packet Types”
.
|
|
|
•
|
IP Type(s)
- You can specify up to ten IP types separated by commas. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP. This option is not case-sensitive. You can use one or more negative values to capture all IP types except those specified; for example: !TCP, !UDP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See “Supported Packet Types”
.
|
|
|
•
|
Source IP Address(es)
- You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets from all but the specified addresses; for example: !10.3.3.3, !10.4.4.4.
|
|
|
•
|
Source Port(s)
- You can specify up to ten TCP or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets from all but the specified ports; for example: !80, !8080.
|
|
|
•
|
Destination IP Address(es)
- You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets destined for all but the specified addresses; for example: !10.3.3.3, !10.4.4.4.
|
|
|
•
|
Destination Port(s)
- You can specify up to ten TCP or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets destined for all but the specified ports; for example: !80, !8080.
|
|
|
•
|
Bidirectional Address and Port Matching
- When this option is selected, IP addresses and ports specified in the Source or Destination fields on this page will be matched against both the source and destination fields in each packet.
|
|
|
•
|
Consumed packets only
- Select this option to monitor all packets which are consumed by internal sources within the firewall.
|
|
|
•
|
Dropped packets only
- Select this option to monitor all packets which are dropped at the perimeter.
|
This section describes how to configure packet monitor display filter settings. The values that
you provide here are compared to corresponding fields in the captured packets, and only those packets that match are displayed. These settings apply only to the display of captured packets on the management interface, and do not affect packet mirroring.
To configure Packet Monitor display filter settings, complete the following steps:
|
Step 1
|
Navigate to the
Dashboard > Packet Monitor
page and click Configure
.
|
|
Step 2
|
In the
Packet Monitor Configuration
window, click the Display Filter
tab.
|
|
Step 3
|
In the Interface Name(s)
box, type the SonicWALL appliance interfaces for which to display packets, or use the negative format (!X0) to display packets captured from all interfaces except those specified. You can specify up to ten interfaces separated by commas. Refer to the Network > Interfaces
screen in the management interface for the available interface names.
|
|
Step 4
|
In the
Ether Type(s)
box, enter the Ethernet types for which you want to display packets, or use the negative format (!ARP) to display packets of all Ethernet types except those specified. You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS Enhanced. See “Supported Packet Types”
.
|
|
Step 5
|
In the
IP Type(s)
box, enter the IP packet types for which you want to display packets, or use the negative format (!UDP) to display packets of all IP types except those specified. You can specify up to ten IP types separated by commas. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See “Supported Packet Types”
. To display all IP types, leave blank.
|
|
Step 6
|
In the
Source IP Address(es)
box, type the IP addresses from which you want to display packets, or use the negative format (!10.1.2.3) to display packets captured from all source addresses except those specified.
|
|
Step 7
|
In the
Source Port(s)
box, type the port numbers from which you want to display packets, or use the negative format (!25) to display packets captured from all source ports except those specified.
|
|
Step 8
|
In the
Destination IP Address(es)
box, type the IP addresses for which you want to display packets, or use the negative format (!10.1.2.3) to display packets with all destination addresses except those specified.
|
|
Step 9
|
In the
Destination Port(s)
box, type the port numbers for which you want to display packets, or use the negative format (!80) to display packets with all destination ports except those specified.
|
This section describes how to configure Packet Monitor logging settings. These settings
provide a way to configure automatic logging of the capture buffer to an external FTP server. When the buffer fills up, the packets are transferred to the FTP server. The capture continues without interruption.
If you configure automatic FTP logging, this supersedes the setting for wrapping the buffer
when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps.
To configure logging settings, perform the following steps:
|
Step 1
|
Navigate to the
Dashboard > Packet Monitor
page and click Configure
.
|
|
Step 2
|
In the
Packet Monitor Configuration
window, click the Logging
tab.
|
|
Step 3
|
In the FTP Server IP Address
box, type the IP address of the FTP server.
|
|
Step 4
|
In the
Login ID
box, type the login name that the SonicWALL appliance should use to connect to the FTP server.
|
|
Step 5
|
In the
Password
box, type the password that the SonicWALL appliance should use to connect to the FTP server.
|
|
Step 6
|
In the
Directory Path
box, type the directory location for the transferred files. The files are written to this location relative to the default FTP root directory. For libcap format, files are named “packet-log--<>.cap”, where the <> contains a run number and date including hour, month, day, and year. For example, packet-log--3-22-08292006.cap. For HTML format, file names are in the form: “packet-log_h-<>.html”. An example of an HTML file name is: packet-log_h-3-22-08292006.html.
|
If automatic FTP logging is off, either because of a failed connection or simply disabled, you
can restart it in Configure > Logging
.
|
Step 1
|
Navigate to the
Dashboard > Packet Monitor
page and click Configure
.
|
|
Step 2
|
In the
Packet Monitor Configuration
window, click the Logging
tab.
|
This section describes how to configure monitoring for packets generated by the SonicWALL
appliance and for intermediate traffic.
|
Step 1
|
Navigate to the
Dashboard > Packet Monitor
page and click Configure
.
|
|
Step 2
|
In the
Packet Monitor Configuration
window, click the Advanced Monitor Filter
tab.
|
|
Step 3
|
To monitor packets generated by the SonicWALL appliance, select the Monitor Firewall
Generated Packets
checkbox.
|
Even when other monitor filters do not match, this option ensures that packets generated by
the SonicWALL appliance are captured. This includes packets generated by HTTP(S), L2TP, DHCP servers, PPP, PPPOE, and routing protocols. Captured packets are marked with ‘s’ in the incoming interface area when they are from the system stack. Otherwise, the incoming interface is not specified.
|
|
•
|
Monitor intermediate SSL decrypted traffic
– Capture or mirror decrypted SSL packets. Certain IP and TCP header fields may not be accurate in the monitored packets, including IP and TCP checksums and TCP port numbers (remapped to port 80). DPI-SSL must be enabled to decrypt the packets.
|
|
|
•
|
Monitor intermediate decrypted LDAP over TLS packets
– Capture or mirror decrypted LDAPS packets. The packets are marked with “(ldp)” in the ingress/egress interface fields and will have dummy Ethernet, IP, and TCP headers with some inaccurate fields. The LDAP server is set to 389. Passwords in captured LDAP bind requests are obfuscated.
|
This section describes how to configure Packet Monitor mirror settings. Mirror settings provide
a way to send packets to a different physical port of the same firewall or to send packets to, or receive them from, a remote SonicWALL firewall.
To configure mirror settings, perform the following steps:
|
Step 1
|
Navigate to the
Dashboard > Packet Monitor
page and click Configure
.
|
|
Step 2
|
In the
Packet Monitor Configuration
window, click the Mirror
tab.
|
|
Step 3
|
Under Mirror Settings, type the desired maximum mirror rate into the
Maximum mirror rate (in
kilobits per second)
field. If this rate is exceeded during mirroring, the excess packets will not be mirrored and will be counted as skipped packets. This rate applies to both local and remote mirroring. The default and minimum value is 100 kbps, and the maximum is 1 Gbps.
|
|
Step 4
|
Select the
Mirror only IP packets
checkbox to prevent mirroring of other Ether type packets, such as ARP or PPPoE. If selected, this option overrides any non-IP Ether types selected on the Monitor Filter
tab.
|
|
Step 7
|
In the
Encrypt remote mirrored packets via IPSec (preshared key-IKE)
field, type the pre-shared key to be used to encrypt traffic when sending mirrored packets to the remote SonicWALL. Configuring this field enables an IPSec transport mode tunnel between this appliance and the remote SonicWALL. This pre-shared key is used by IKE to negotiate the IPSec keys.
|
|
|
Note
|
The
Encrypt remote mirrored packets via IPSec (preshared key-IKE)
option is inactive in SonicOS Enhanced 5.6, and will be supported in a future release.
|
|
Step 9
|
In the
Decrypt remote mirrored packets via IPSec (preshared key-IKE)
field, type the pre-shared key to be used to decrypt traffic when receiving mirrored packets from the remote SonicWALL. Configuring this field enables an IPSec transport mode tunnel between this appliance and the remote SonicWALL. This pre-shared key is used by IKE to negotiate the IPSec keys.
|
|
|
Note
|
The
Decrypt remote mirrored packets via IPSec (preshared key-IKE)
option is inactive in SonicOS Enhanced 5.6, and will be supported in a future release.
|
In addition to the
Configure
button, the top of the Dashboard > Packet Monitor
page provides several buttons for general control of the packet monitor feature and display. These include the following:
|
|
•
|
Monitor All
– Resets current monitor filter settings and advanced page settings so that traffic on all local interfaces is monitored. A confirmation dialog box displays when you click this button.
|
|
|
•
|
Monitor Default
– Resets current monitor filter settings and advanced page settings to factory default settings. A confirmation dialog box displays when you click this button.
|
|
|
•
|
Clear
– Clears the packet monitor queue and the displayed statistics for the capture buffer, mirroring, and FTP logging. A confirmation dialog box displays when you click this button.
|
|
|
•
|
Refresh
– Refreshes the packet display windows on this page to show new buffer data.
|
The Dashboard > Packet Monitor page is shown below:
For an explanation of the status indicators near the top of the page, see
“Understanding Status Indicators”
.
The other buttons and displays on this page are described in the following sections:
You can start a packet capture that uses default settings without configuring specific criteria for
packet capture, display, FTP export, and other settings. If you start a default packet capture, the SonicWALL appliance will capture all packets except those for internal communication, and will stop when the buffer is full or when you click Stop Capture
.
|
Step 3
|
Under
Packet Monitor
, click Start Capture
.
|
You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump
sections of the screen. See “Viewing Captured Packets”
.
You can start packet mirroring that uses your configured mirror settings by clicking
Start Mirror
. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings. Packet mirroring stops when you click Stop Mirror
.
|
Step 2
|
Under
Packet Monitor
, click Start Mirror
to start mirroring packets according to your configured settings.
|
The
Dashboard > Packet Monitor
page provides three windows to display different views of captured packets. The following sections describe the viewing windows:
The
Captured Packets
window displays the following statistics about each packet:
The status field shows the state of the packet with respect to the firewall. A packet can be
dropped, generated, consumed or forwarded by the SonicWALL appliance. You can position the mouse pointer over dropped or consumed packets to show the following information.
You can configure the number of bytes to capture. See
“Configuring General Settings”
.
When you click on a packet in the Captured Packets window, the packet header fields are
displayed in the Packet Detail window. The display will vary depending on the type of packet that you select.
When you click on a packet in the Captured Packets window, the packet data is displayed in
hexadecimal and ASCII format in the Hex Dump window. The hex format is shown on the left side of the window, with the corresponding ASCII characters displayed to the right for each line. When the hex value is zero, the ASCII value is displayed as a dot.
This section describes how to tell if your packet monitor, mirroring, or FTP logging is working
correctly according to the configuration. It contains the following sections:
The main Packet Monitor page displays status indicators for packet capture, mirroring, and FTP
logging. Information popup tooltips are available for quick display of the configuration settings.
See the following sections:
The packet capture status indicator is labelled as
Trace
, and shows one of the following three conditions:
|
|
•
|
Red
– Capture is stopped
|
|
|
•
|
Green
– Capture is running and the buffer is not full
|
|
|
•
|
Yellow
– Capture is running, but the buffer is full
|
The management interface also displays the buffer size, the number of packets captured, the
percentage of buffer space used, and how much of the buffer has been lost. Lost packets occur when automatic FTP logging is turned on, but the file transfer is slow for some reason. If the transfer is not finished by the time the buffer is full again, the data in the newly filled buffer is lost.
There are three status indicators for packet mirroring:
Local mirroring
– Packets sent to another physical interface on the same SonicWALL
For local mirroring, the status indicator shows one of the following three conditions:
|
|
•
|
Green
– Mirroring is on
|
|
|
•
|
Yellow
– Mirroring is on but disabled because the local mirroring interface is not specified
|
The local mirroring row also displays the following statistics:
|
|
•
|
Pkts skipped
– The total number of packets that skipped mirroring due to packets that are incoming/outgoing on the interface on which monitoring is configured
|
|
|
•
|
Pkts exceeded rate
– The total number of packets that skipped mirroring due to rate limiting
|
For
Remote mirroring Tx
, the status indicator shows one of the following three conditions:
|
|
•
|
Green
– Mirroring is on and a remote SonicWALL IP address is configured
|
|
|
•
|
Yellow
– Mirroring is on but disabled because the remote device rejects mirrored packets and sends port unreachable ICMP messages
|
The
Remote mirroring Tx
row also displays the following statistics:
|
|
•
|
Packets mirrored
– The total number of packets mirrored to a remote SonicWALL appliance
|
|
|
•
|
Pkts skipped
– The total number of packets that skipped mirroring due to packets that are incoming/outgoing on the interface on which monitoring is configured
|
|
|
•
|
Pkts exceeded rate
– The total number of packets that failed to mirror to a remote SonicWALL, either due to an unreachable port or other network issues
|
Remote mirroring Rx
– Packets received from a remote SonicWALL
For
Remote mirroring Rx
, the status indicator shows one of the following two conditions:
|
|
•
|
Green
– Mirroring is on and a remote SonicWALL IP address is configured
|
The
Remote mirroring Rx
row also displays the following statistics:
|
|
•
|
Mirror packets rcvd but skipped
– The total number of packets received from a remote SonicWALL appliance that failed to get mirrored locally due to errors in the packets
|
The FTP logging status indicator shows one of the following three conditions:
|
|
•
|
Red
– Automatic FTP logging is off
|
|
|
•
|
Green
– Automatic FTP logging is on
|
|
|
•
|
Yellow
– The last attempt to contact the FTP server failed, and logging is now off
|
To restart automatic FTP logging, see
“Restarting FTP Logging”
.
Next to the FTP logging indicator, the management interface also displays the number of
successful and failed attempts to transfer the buffer contents to the FTP server, the current state of the FTP process thread, and the status of the capture buffer.
Under the FTP logging indicator, on the Current Buffer Statistics line, the management interface
displays the number of packets dropped, forwarded, consumed, generated, or unknown.
On the Current Configurations line, you can hover your mouse pointer over Filters, General, or
Logging to view the currently configured value for each setting in that category. The Filters display includes the capture filter and display filter settings. The display for General includes both the general and advanced settings. The Logging display shows the FTP logging settings.
The Current Buffer Statistics row summarizes the current contents of the local capture buffer.
It shows the number of dropped, forwarded, consumed, generated, and unknown packets.
The Current Configurations row provides dynamic information displays for the configured filter,
general, logging, and mirror settings. When you hover your mouse pointer over one of the information icons or its label, a popup tooltip displays the current settings for that selection.
You can clear the packet monitor queue and the displayed statistics for the capture buffer,
mirroring, and FTP logging.
|
Step 3
|
Click
OK
in the confirmation dialog box.
|
This section contains the following:
When specifying the Ethernet or IP packet types that you want to monitor or display, you can
use either the standard acronym for the type, if supported, or the corresponding hexadecimal representation. To determine the hex value for a protocol, refer to the RFC for the number assigned to it by IANA. The protocol acronyms that SonicOS Enhanced currently supports are as follows:
The
Export As
option on the Dashboard > Packet Monitor
page allows you to display or save a snapshot of the current buffer in the file format that you select from the drop-down list. Saved files are placed on your local management system (where the management interface is running). Choose from the following formats:
|
|
•
|
Libpcap
- Select Libpcap format if you want to view the data with the Wireshark network protocol analyzer. This is also known as libcap or pcap format. A dialog box allows you to open the buffer file with Wireshark, or save it to your local hard drive with the extension .pcap
.
|
|
|
•
|
Html
- Select Html to view the data with a browser. You can use File > Save As to save a copy of the buffer to your hard drive.
|
|
|
•
|
Text
- Select Text to view the data in a text editor. A dialog box allows you to open the buffer file with the registered text editor, or save it to your local hard drive with the extension .wri
.
|
|
|
•
|
App Data
- Select App Data to view only application data contained in the packet. Packets containing no application data are skipped during the capture. Application data = captured packet minus L2, L3, and L4 headers.
|
Examples of the Html and Text formats are shown in the following sections:
You can view the HTML format in a browser. The following is an example showing the header
and part of the data for the first packet in the buffer.
You can view the text format output in a text editor. The following is an example showing the
header and part of the data for the first packet in the buffer.
