System_systemPacketCaptureView

Dashboard > Packet Monitor

 
Note
For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of which tab it is accessed through. For detailed overview and configuration information on Packet Monitor, refer to the “System > Packet Monitor” .

Using Packet Monitor and Packet Mirror

In addition to the Configure button, the top of the Dashboard > Packet Monitor page provides several buttons for general control of the packet monitor feature and display. These include the following:

 
Monitor All – Resets current monitor filter settings and advanced page settings so that traffic on all local interfaces is monitored. A confirmation dialog box displays when you click this button.
 
Monitor Default – Resets current monitor filter settings and advanced page settings to factory default settings. A confirmation dialog box displays when you click this button.
 
Clear – Clears the packet monitor queue and the displayed statistics for the capture buffer, mirroring, and FTP logging. A confirmation dialog box displays when you click this button.
 
Refresh – Refreshes the packet display windows on this page to show new buffer data.

The Dashboard > Packet Monitor page is shown below:

For an explanation of the status indicators near the top of the page, see “Understanding Status Indicators” .

The other buttons and displays on this page are described in the following sections:

 
“Starting and Stopping Packet Capture”
 
“Starting and Stopping Packet Mirror”
 
“Viewing Captured Packets”

Starting and Stopping Packet Capture

You can start a packet capture that uses default settings without configuring specific criteria for packet capture, display, FTP export, and other settings. If you start a default packet capture, the SonicWALL appliance will capture all packets except those for internal communication, and will stop when the buffer is full or when you click Stop Capture .

Step 1
Navigate to the Dashboard > Packet Monitor page.
Step 2
Optionally click Clear to set the statistics back to zero.
Step 3
Under Packet Monitor , click Start Capture .
Step 4
To refresh the packet display windows to show new buffer data, click Refresh .
Step 5
To stop the packet capture, click Stop Capture .

You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump sections of the screen. See “Viewing Captured Packets” .

Starting and Stopping Packet Mirror

You can start packet mirroring that uses your configured mirror settings by clicking Start Mirror . It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings. Packet mirroring stops when you click Stop Mirror .

Step 1
Navigate to the Dashboard > Packet Monitor page.
Step 2
Under Packet Monitor , click Start Mirror to start mirroring packets according to your configured settings.
Step 3
To stop mirroring packets, click Stop Mirror .

Viewing Captured Packets

The Dashboard > Packet Monitor page provides three windows to display different views of captured packets. The following sections describe the viewing windows:

 
“About the Captured Packets Window”
 
“About the Packet Detail Window”
 
“About the Hex Dump Window”

About the Captured Packets Window

The Captured Packets window displays the following statistics about each packet:

 
# - The packet number relative to the start of the capture
 
Time - The date and time that the packet was captured
 
Ingress - The SonicWALL appliance interface on which the packet arrived is marked with an asterisk (*). The subsystem type abbreviation is shown in parentheses. Subsystem type abbreviations are defined in the following table.

 

i

Interface

hc

Hardware based encryption or decryption

sc

Software based encryption or decryption

m

Multicast

r

Packet reassembly

s

System stack

ip

IP helper

f

Fragmentation

 

 
Egress - The SonicWALL appliance interface on which the packet was captured when sent out
 
The subsystem type abbreviation is shown in parentheses. See the table above for definitions of subsystem type abbreviations
 
Source IP - The source IP address of the packet
 
Destination IP - The destination IP address of the packet
 
Ether Type - The Ethernet type of the packet from its Ethernet header
 
Packet Type - The type of the packet depending on the Ethernet type; for example:
 
For IP packets, the packet type might be TCP, UDP, or another protocol that runs over IP
 
For PPPoE packets, the packet type might be PPPoE Discovery or PPPoE Session
 
For ARP packets, the packet type might be Request or Reply
 
Ports [Src, Dst] - The source and destination TCP or UDP ports of the packet
 
Status - The status field for the packet

The status field shows the state of the packet with respect to the firewall. A packet can be dropped, generated, consumed or forwarded by the SonicWALL appliance. You can position the mouse pointer over dropped or consumed packets to show the following information.

 

Dropped

Module-ID = <integer>

Value for the protocol subsystem ID

Drop-code = <integer>

Reason for dropping the packet

Reference-ID: <code>

SonicWALL-specific data

Consumed

Module-ID = <integer>

Value for the protocol subsystem ID

 
Length [Actual] - Length value is the number of bytes captured in the buffer for this packet. Actual value, in brackets, is the number of bytes transmitted in the packet.

About the Packet Detail Window

When you click on a packet in the Captured Packets window, the packet header fields are displayed in the Packet Detail window. The display will vary depending on the type of packet that you select.

 

About the Hex Dump Window

When you click on a packet in the Captured Packets window, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump window. The hex format is shown on the left side of the window, with the corresponding ASCII characters displayed to the right for each line. When the hex value is zero, the ASCII value is displayed as a dot.