How to Capture DPI-SSL Decrypted Packets in the SonicWall Packet Monitor Module

When DPI-SSL, Server or Client Inspection, is enabled, all SSL packets are re-signed  and decrypted by the SonicWall and Security Services policies are enforced on the decrypted packets.  With DPI-SSL enabled, when unintended traffic is blocked or traffic supposed to be blocked is allowed, it is useful to capture such traffic for troubleshooting purposes.  The SonicWall Packet Monitor module enables the administrator to capture decrypted SSL packets. This KB article describes how to capture decrypted packets.

1.  Login to the SonicWall management GUI.
2.  Navigate to the System > Packet Monitor page.
3.  Click on Configure.
4.  Navigate to the Monitor Filter tab.
5.  Under Ether Type(s), enter IP
6.  Under IP Type(s), enter TCP
7.  If capturing Server DPI-SSL decrypted traffic, enter the public IP of the client under Source IP Address(es)
8.  Leave the Source Port(s) field blank.
9.  If capturing Client DPI-SSL decrypted traffic, enter the public IP of the server under Desination IP Address(es)
10.Under Port(s), enter both encrypted and decrypted port numbers. For example:

• For HTTPS traffic, enter 443,80
• For FTPS, enter 990,20
• For IMAP, enter 993,143
• For SMTPS, enter 465,25
• For POPS, enter 995,110

11. Click on the Advanced Monitor Filter tab.
12. Enable check box under Monitor intermediate SSL decrypted traffic
13. Click on OK to save.
14. Click on Start Capture to start the capture.

Captured packets can be exported in libpcap format for viewing in Wireshark. The decrypted packets can be seen by filtering by the clear text port number of the application. For example, if the traffic is HTTPS, the decrypted packets can be seen by filtering with http.