SonicOS 7.0 Tools & Monitors

Technical Documentation>  Using Packet Monitor>  Configuring Packet Monitor>  Configuring General Settings>  Configuring the Monitor Filter
Table of Contents

Configuring the Monitor Filter

All filters set on the Monitor Filter page are applied to both packet capture and packet mirroring.

To configure Monitor Filter settings

  1. Navigate to the Tools & Monitors > Packet Monitor page.
  2. Select the General tab.

  3. Select the Monitor Filter tab.

  4. Choose Enable filter based on the firewall/app rule if you are using firewall rules to capture specific traffic.

    Before the Enable filter based on the firewall rule option is selected, be certain you have selected one or more access rules on which to monitor packet traffic. This configuration is done from the Policy > Rules and Policies > Access Rules page.

  5. Specify how Packet Monitor filters packets using these options:
    • Interface Name(s) - You can specify up to ten interfaces separated by commas. Refer to the Network > Interfaces page in the management interface for the available interface names. You can use a negative value to configure all interfaces except the one(s) specified; for example: !X0, or !LAN.

    • Ether Type(s) - You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported:

      • ARP
      • IP
      • PPPoE-SES
      • PPPoE-DIS

      The latter two can be specified by PPPoE alone.

      This option is not case-sensitive. For example, to capture all supported types, you could enter: ARP, IP, PPPOE. You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE. You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally, you would only use hex values for Ethernet types that are not supported by acronym in SonicOS. (Refer to Supported Packet Types for more information.)

    • IP Type(s) - You can specify up to ten IP types separated by commas. These IP types are supported:

      • TCP
      • UDP
      • ICMP
      • GRE
      • IGMP
      • AH
      • ESP

      You can use one or more negative values to capture all IP types except those specified; for example: !TCP, !UDP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. (Refer to Supported Packet Types for more information.) This option is not case-sensitive.

    • Source IP Address(es) - You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets from all but the specified addresses; for example: !10.3.3.3, !10.4.4.4.
    • Source Port(s) - You can specify up to ten TCP or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets from all but the specified ports; for example: !80, !8080.
    • Destination IP Address(es) - You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets destined for all but the specified addresses; for example: !10.3.3.3, !10.4.4.4.
    • Destination Port(s) - You can specify up to ten TCP or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets destined for all but the specified ports; for example: !80, !8080.
    • Enable Bidirectional Address and Port Matching - When this option is selected, IP addresses and ports specified in the Source or Destination fields on this page are matched against both the source and destination fields in each packet.
    • Forwarded packets only - Select this option to monitor any packets that are forwarded by the firewall.
    • Consumed packets only - Select this option to monitor all packets that are consumed by internal sources within the firewall.

    • Dropped packets only - Select this option to monitor all packets that are dropped at the perimeter.

      If a field is left blank, no filtering is done on that field. Packets are captured or mirrored without regard to the value contained in that field of their headers.

  6. To save your settings and exit the configuration window, click Save.