-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Running a packet capture for TCP and/or UDP traffic
08/29/2023 
518 People found this article helpful
491,033 Views
Description
One of the best ways to troubleshoot many common issues involving communication on TCP or UDP protocols for is to run a packet capture.
A packet capture can help determine what is happening to TCP or UDP traffic intended to pass through a SonicWall firewall that initiates from a specific source device, determine if the SonicWall is forwarding that traffic onto the intended destination, and even if it is receiving / how it is handling any response traffic.
In addition, a corresponding .csv copy of the logs can often point to the exact reason any packets were dropped, or else to any reasons why traffic is being misdirected. Saving the logs right after running a packet capture is important, because SonicWall logs are dynamic, and are irretrievable after a short period of time.
The steps to run a packet capture to monitor all TCP/UDP traffic from a specific IP address and to a specific port or ports, as well as obtaining a corresponding copy of the logs, can be configured using the following steps:
Resolution
First, configure and run the packet capture for all traffic from the initiating machine making the request on the intended destination ports:
1. Navigate to INVESTIGATE | Packet Monitor.
2. Click "Monitor Default" to clear out any previous capture parameters.
3. Click "Configure"
4. Navigate to the "Monitor Filter" tab.
5. Enter the following parameters, where X.X.X.X is the source IP address of the initiating machine and yyy,zzz are the destination port numbers (such as 80,443 when monitoring HTTP and HTTPS)
NOTE: Any field with multiple values must be separated by a comma, WITHOUT a space) Interface Name:?
- Ether type: IP
- IP type: TCP
- Source IP: X.X.X.X
- Source Port:
- Destination IP:
- Destination Port: yyy,zzz
Example for UDP - Stablishing VPN
- Ether type: IP
- IP type: UDP
- Source IP:
- Source Port:
- Destination IP:
- Destination Port: 4500,500
6. Navigate to the "Advanced Monitor Filter" tab and check all boxes.
7. Click "OK" to save the parameters. This will return you to the main Packet Monitor screen.
8. Click "Start Capture". The top icon should turn from red to green. You may need to click "Clear" to remove packets from old captures.
9. Reproduce the issue. (Note: The page is not dynamic, so the results will not change unless the page is refreshed).
10. Click "Stop Capture".
It is important at this point to obtain the logs before they are irretrievably lost. While a stopped packet capture will remain in the buffer until removed, logs will not.
In order to obtain the corresponding logs for 5.8 or 6.1 firmware:
- Navigate to Log | View
- Click "Export Logs"
- Select "CSV (Comma Separated Value)" and Save the file.
In order to obtain the corresponding logs for 5.9 or 6.2 firmware:
- Navigate to Log | Log Monitor
- Click the "CSV" button at the top of the page
- Save the file.
In order to obtain the corresponding logs for 6.5 firmware and higher:
- Navigate to INVESTIGATE | Event Logs
- Click the "CSV" button at the top of the page
- Save the file.
Once the logs have been obtained, navigate back to INVESTIGATE | Packet Monitor and save the Libpcap and HTML versions of the capture. Only the Libpcap version can provide data for deep analysis (using Wireshark, an industry standard utility), and only the HTML file can provide data specific to the SonicWall (Such as interface information, drop codes, module ID's, etc):
- Use the "Export As" drop-down menu to select "LIBPCAP" and save the .cap file provided.
- Use the "Export As" drop-down menu to select "HTML" and save the .HTML file provided (note: Some browsers will attempt to open this file. If this happens, use ALT+F or "File" and select "Save As" to save the .HTML file.
When finished, you will have three files that can help determine the problem. You can analyze these or provide them to tech support:
- A .csv copy of the logs,
- A .cap version of the packet capture, and
- A .HTML version of the packet capture.
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
Categories
- Firewalls > NSa Series > System
- Firewalls > TZ Series > System
- Firewalls > NSv Series > System
YES
NO