• SonicOS 7 Action Objects
• App Rule Actions
  • About Action Objects
    • About System Predefined Default Action Objects
    • About Action Types for Custom Action Objects
  • About Actions Using Bandwidth Management
    • Bandwidth Management Methods
  • Creating an Action Object
  • Modifying an Action Object
  • Related Tasks for Actions Using Packet Monitoring
• Content Filter Actions
  • About Content Filter Objects
  • About CFS Action Objects
  • About the Passphrase Feature
  • About the Confirm Feature
  • About UUIDs for CFS Objects
  • Managing CFS Action Objects
    • About the CFS Action Objects Table
    • Configuring CFS Action Objects
      • Block Option
      • Passphrase Option
      • Confirm Option
      • BWM Option
      • Threat API Option
    • Editing CFS Action Objects
    • Deleting CFS Action Objects
    • Applying Content Filter Objects
• SonicWall Support
  • About This Document

Related Tasks for Actions Using Packet Monitoring

When the predefined Packet Monitor action is selected for a policy, SonicOS captures or mirrors the traffic according to the settings you have configured in the Monitor > Tools & Monitors > Packets page. The default is to create a capture file, which you can view with Wireshark™. For information about Wireshark, see Policy > App Control chapter.

After you have configured a policy with the Packet Monitor action, you still need to click Start Capture on the Packets page to actually capture any packets. After you have captured the desired packets, click Stop Capture.

Capturing Packets Related to a Policy

To control the Packet Monitor action to capture only the packets related to your policy:

1. Navigate to Monitor > Tools & Monitors > Packets page.

   

2. Click the Configure button.

3. In the Packet Monitor Configuration dialog, click Monitor Filter.

   

4. Select Enable Filter based on the firewall/app rule. This option is not selected by default.

   In this mode, after you click Start Capture option on the Capture Packets page, packets are not captured until some traffic triggers the App Control policy (or an Access Rule). You can see the Alert message in the Monitor > Logs > System Event page when the policy is triggered.

   This works in App Rules policies created using an action object with Packet Monitor action type, or policies created in the Policy > Access Rules that use Packet Monitor, and allows you to specify configuration or filtering for what to capture or mirror. You can download the capture in different formats and look at it in a browser, for example.

5. Click Save.

Configuring Mirroring

To set up mirroring:

1. Navigate to Monitor > Tools & Monitors > Packets page.

   

2. Click the Configure button.

3. In the Packet Monitor Configuration dialog, click Mirror.

   

4. Pick an interface to which to send the mirrored traffic from the Mirror filtered packets to Interface drop-down menu under Local Mirroring Settings.

5. You can also configure one of the Remote settings. This allows you to mirror the application packets to another computer and store everything on the hard disk. For example, you could capture MSN Instant Messenger traffic and read the conversations.

6. Click Save.