How To Perform a Packet Capture Based on OSI Layer 7 Application

03/26/2020 6 13106

DESCRIPTION:

This article explains how can packet capture be performed for specific protocol. General packet capture utility is very useful for troubleshooting purpose.
But there are some limitations where packet can be captured based on either port no. or IP address only but not application layer protocols.

Using Application firewall packet capture can be performed based on layer 7 protocols.
A application firewall rule can be created to be matched and perform packet capture. This article explains capture for SIP traffic. However same can be replicated using any other protocol using app control advance signatures or customer objects.

RESOLUTION:

Step 1: Navigate  to the Packet Monitor page via System | Packet Monitor and select "Configure". Navigate to "Monitor Filter" and select "Enable firewall based on the firewall/app rule"

NOTE: Remember to uncheck the option in case doing capture with IP/port generic way as until the "Enable firewall based on the firewall/app rule" option is checked ,Packet monitor will not capture anything that is defined in monitor filter.

 

Step 2: Create an match object for SIP protocol.
Navigate to Firewall | Match object. Click on add and select match object type as "Application list".
Select VOIP-Apps and VOIP-SIP as application.

As mentioned above this article takes voip-sip as an example and any of  pre-defined signatures and applications can be selected.

Step 3: Create an application firewall rule.
Navigate to Firewall | App rule
Click on add a new rule. Select the type as App control content and select match object "SIP".
Action object should be selected as Packet monitor.
 

How to Test:-
Start the packet capture and initiate SIP traffic. Relavent capture would start flowing.