03/26/2020 9 People found this article helpful 457,076 Views
When DPI-SSL, Server or Client Inspection, is enabled, all SSL packets are re-signed and decrypted by the SonicWall and Security Services policies are enforced on the decrypted packets. With DPI-SSL enabled, when unintended traffic is blocked or traffic supposed to be blocked is allowed, it is useful to capture such traffic for troubleshooting purposes. The SonicWall Packet Monitor module enables the administrator to capture decrypted SSL packets. This KB article describes how to capture decrypted packets.
1. Login to the SonicWall management GUI.
2. Navigate to the System > Packet Monitor page.
3. Click on Configure.
4. Navigate to the Monitor Filter tab.
5. Under Ether Type(s), enter IP
6. Under IP Type(s), enter TCP
7. If capturing Server DPI-SSL decrypted traffic, enter the public IP of the client under Source IP Address(es)
8. Leave the Source Port(s) field blank.
9. If capturing Client DPI-SSL decrypted traffic, enter the public IP of the server under Desination IP Address(es)
10.Under Port(s), enter both encrypted and decrypted port numbers. For example:
Captured packets can be exported in libpcap format for viewing in Wireshark. The decrypted packets can be seen by filtering by the clear text port number of the application. For example, if the traffic is HTTPS, the decrypted packets can be seen by filtering with http.