Capturing Network Traffic from AMC
03/26/2020 3 8558
SonicWall SMA 1000 Series versions 9.0.0 and later introduced a new troubleshooting utility within the Aventail Management Console called the network traffic utility. Accessible in AMC from Troubleshooting > Network Traffic, this tcpdump-based utility enables an administrator to capture network traffic data and then analyze that data in a packet analyzer, such as WireShark.
Customers who run appliance release 8.9.0 and earlier can continue to use tcpdump to capture network traffic
The online help for AMC and appendix B of the v11.4 Installation and Administration Guide contain and instructions for using this utility. The guide can be accessed here.
This network traffic utility, which is based on tcpdump, allows you to capture a packet-by-packet list of the data going in and out of the appliance. If you are new to troubleshooting, you can use this utility to generate a file of network traffic data that can be sent to Technical Support for troubleshooting network issues. If you are familiar with troubleshooting and reading trace files, you can analyze the traffic using a network protocol analyzer, such as Wireshark.
Capturing all network traffic on your appliance can quickly result in files that are too unwieldy to analyze. Where possible, use filters to restrict the traffic to issues you are troubleshooting.
The following sample procedure demonstrates how to filter by host and port (in this example, an Exchange server and Web traffic).
To filter and capture network traffic to a file on the appliance:
- From the main navigation menu, click Troubleshooting.
- Click the Network Traffic tab.
- To restrict the capture to traffic coming from or going to your Exchange server, enter the server’s full qualified domain name or IPv4 or IPv6 address in the These hosts text box. For example, exchange.mycompany.com.
- To make sure that you are capturing only the HTTP traffic, select Web (HTTP or HTTP/S) from the Common ports list; only traffic to and from the HTTP and HTTPS ports (80, 443, 8080, and 8443) will be captured.
- Click Start to begin capturing traffic. The size limit for a single capture is 500 MB of raw data; when the size of a capture file reaches 100 MB, it “rolls over” into a separate file (large files are difficult to process with packet analysis tools such as Wireshark). If the total size of a single capture reaches 500 MB (five files of 100 MB each), the capture automatically stops. During a capture, the Size column indicates how close you are to the limit.
- Click Stop to stop capturing traffic. The capture file is a .zip file that is stored on the appliance and listed here. (The figure in the Size column indicates how much room the file is using on the appliance; this is the size of the compressed .zip file, not the raw data.) The maximum number of files you can store is ten; as more capture files are added, the oldest ones are dropped from the list.
- To download captured data, click the button corresponding to the file you want to analyze or send to Technical Support, and then click Download. Each capture file is a .zip file containing the captured network traffic (for example, eth0.cap) and a readme text file outlining what filters were used, if any, and when the data was captured.
Comment: Internal interface, hosts: exchange.mycompany.com, selected ports
Internal interface (eth0): enabled
External interface (eth1): disabled
Ports: 80,443, 8080, 8443
Start time: Wed Aug 15 2007 17:56:52 GMT
Stop time: Wed Aug 15 2007 17:58:31 GMT
NOTE: Captured network traffic is not encrypted and may contain passwords and other sensitive information. If you have security concerns about storing a downloaded capture or sending it over an unsecured Internet connection, use Snapshot Tool in AMC instead. You can make a partial snapshot that includes only network captures, and then choose to encrypt the results. See Snapshot Tool for more information.
You can capture network traffic on either of the appliances in a high-availability pair (the master node or the slave node).
WireShark is available at http://www.wireshark.org.