User manual SONICWALL SONICOS 5.8 PACKET MONITOR FEATURE MODULE REV A

[. . . ] Chapter 1: SonicWALL Packet Monitor in SonicOS Document Contents This document contains the following sections: · · · · · "Packet Monitor Overview" on page 2 "Configuring Packet Monitor" on page 6 "Using Packet Monitor and Packet Mirror" on page 17 "Verifying Packet Monitor Activity" on page 22 "Related Information" on page 26 SonicWALL Packet Monitor Feature Module 1 Packet Monitor Overview Packet Monitor Overview This section provides an introduction to the SonicOS Enhanced packet monitor feature. This section contains the following subsections: · · · · · "What is Packet Monitor?" on page 2 "Benefits of Packet Monitor" on page 2 "How Does Packet Monitor Work?" on page 3 "What is Packet Mirror?" on page 4 "How Does Packet Mirror Work?" on page 5 What is Packet Monitor? Packet monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWALL firewall appliance. Packets can be either monitored or mirrored. The monitored packets contain both data and addressing information. [. . . ] In the Destination IP Address(es) box, type the IP addresses for which you want to display packets, or use the negative format (!10. 1. 2. 3) to display packets with all destination addresses except those specified. In the Destination Port(s) box, type the port numbers for which you want to display packets, or use the negative format (!80) to display packets with all destination ports except those specified. information in each captured packet, select the Enable Bidirectional Address and Port Matching checkbox. Step 8 Step 9 Step 10 To match the values in the source and destination fields against either the source or destination Step 11 To display captured packets that the SonicWALL appliance forwarded, select the Forwarded checkbox. Step 12 To display captured packets that the SonicWALL appliance generated, select the Generated checkbox. Step 13 To display captured packets that the SonicWALL appliance consumed, select the Consumed checkbox. Step 14 To display captured packets that the SonicWALL appliance dropped, select the Dropped checkbox. Step 15 To save your settings and exit the configuration window, click OK. Configuring Logging Settings This section describes how to configure Packet Monitor logging settings. These settings provide a way to configure automatic logging of the capture buffer to an external FTP server. When the buffer fills up, the packets are transferred to the FTP server. The capture continues without interruption. If you configure automatic FTP logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps. To configure logging settings, perform the following steps: Step 1 Navigate to the System > Packet Monitor page and click Configure. SonicWALL Packet Monitor Feature Module 11 Configuring Packet Monitor Step 2 In the Packet Monitor Configuration window, click the Logging tab. Step 3 In the FTP Server IP Address box, type the IP address of the FTP server. Note Make sure that the FTP server IP address is reachable by the SonicWALL appliance. An IP address that is reachable only via a VPN tunnel is not supported. In the Login ID box, type the login name that the SonicWALL appliance should use to connect to the FTP server. In the Password box, type the password that the SonicWALL appliance should use to connect to the FTP server. In the Directory Path box, type the directory location for the transferred files. The files are written to this location relative to the default FTP root directory. For libcap format, files are named "packet-log--<>. cap", where the <> contains a run number and date including hour, month, day, and year. For example, packet-log--3-22-08292006. cap. For HTML format, file names are in the form: "packet-log_h-<>. html". An example of an HTML file name is: packetlog_h-3-22-08292006. html. To enable automatic transfer of the capture file to the FTP server when the buffer is full, select the Log To FTP Server Automatically checkbox. Files are transferred in both libcap and HTML format. To enable transfer of the file in HTML format as well as libcap format, select the Log HTML File Along With . cap File (FTP). To test the connection to the FTP server and transfer the capture buffer contents to it, click Log Now. [. . . ] If the transfer is not finished by the time the buffer is full again, the data in the newly filled buffer is lost. Note Although the buffer wrap option clears the buffer upon wrapping to the beginning, this is not considered lost data. 22 SonicWALL Packet Monitor Feature Module Verifying Packet Monitor Activity Mirroring Status There are three status indicators for packet mirroring: Local mirroring ­ Packets sent to another physical interface on the same SonicWALL For local mirroring, the status indicator shows one of the following three conditions: · · · Red ­ Mirroring is off Green ­ Mirroring is on Yellow ­ Mirroring is on but disabled because the local mirroring interface is not specified Mirroring to interface ­ The specified local mirroring interface Packets mirrored ­ The total number of packets mirrored locally Pkts skipped ­ The total number of packets that skipped mirroring due to packets that are incoming/outgoing on the interface on which monitoring is configured Pkts exceeded rate ­ The total number of packets that skipped mirroring due to rate limiting The local mirroring row also displays the following statistics: · · · · Remote mirroring Tx ­ Packets sent to a remote SonicWALL For Remote mirroring Tx, the status indicator shows one of the following three conditions: · · · Red ­ Mirroring is off Green ­ Mirroring is on and a remote SonicWALL IP address is configured Yellow ­ Mirroring is on but disabled because the remote device rejects mirrored packets and sends port unreachable ICMP messages Mirroring to ­ The specified remote SonicWALL IP address Packets mirrored ­ The total number of packets mirrored to a remote SonicWALL appliance Pkts skipped ­ The total number of packets that skipped mirroring due to packets that are incoming/outgoing on the interface on which monitoring is configured Pkts exceeded rate ­ The total number of packets that failed to mirror to a remote SonicWALL, either due to an unreachable port or other network issues The Remote mirroring Tx row also displays the following statistics: · · · · Remote mirroring Rx ­ Packets received from a remote SonicWALL For Remote mirroring Rx, the status indicator shows one of the following two conditions: · · Red ­ Mirroring is off Green ­ Mirroring is on and a remote SonicWALL IP address is configured Receiving from ­ The specified remote SonicWALL IP address Mirror packets rcvd ­ The total number of packets received from a remote SonicWALL appliance Mirror packets rcvd but skipped ­ The total number of packets received from a remote SonicWALL appliance that failed to get mirrored locally due to errors in the packets The Remote mirroring Rx row also displays the following statistics: · · · SonicWALL Packet Monitor Feature Module 23 Verifying Packet Monitor Activity FTP Logging Status The FTP logging status indicator shows one of the following three conditions: · · · Red ­ Automatic FTP logging is off Green ­ Automatic FTP logging is on Yellow ­ The last attempt to contact the FTP server failed, and logging is now off To restart automatic FTP logging, see "Restarting FTP Logging" on page 13. Next to the FTP logging indicator, the management interface also displays the number of successful and failed attempts to transfer the buffer contents to the FTP server, the current state of the FTP process thread, and the status of the capture buffer. Under the FTP logging indicator, on the Current Buffer Statistics line, the management interface displays the number of packets dropped, forwarded, consumed, generated, or unknown. On the Current Configurations line, you can hover your mouse pointer over Filters, General, or Logging to view the currently configured value for each setting in that category. The Filters display includes the capture filter and display filter settings. [. . . ]