Running a packet capture for TCP and/or UDP traffic

First, configure and run the packet capture for all traffic from the initiating machine making the request on the intended destination ports:

1. Navigate to INVESTIGATE | Packet Monitor.

2. Click "Monitor Default" to clear out any previous capture parameters.

3. Click "Configure"

4. Navigate to the "Monitor Filter" tab.  

5. Enter the following parameters, where X.X.X.X is the source IP address of the initiating machine and yyy,zzz are the destination port numbers (such as 80,443 when monitoring HTTP and HTTPS)

NOTE: Any field with multiple values must be separated by a comma, WITHOUT a space) Interface Name:?

• • Ether type:     IP
  • IP type:       TCP
  • Source IP:      X.X.X.X
  • Source Port:
  • Destination IP:
  • Destination Port:    yyy,zzz

            Example for UDP -  Stablishing  VPN

• • Ether type:     IP
  • IP type:      UDP
  • Source IP:      
  • Source Port:
  • Destination IP:
  • Destination Port:    4500,500

6. Navigate to the "Advanced Monitor Filter" tab and check all boxes.

7. Click "OK" to save the parameters.  This will return you to the main Packet Monitor screen.

8. Click "Start Capture".  The top icon should turn from red to green.  You may need to click "Clear" to remove packets from old captures.

9. Reproduce the issue.  (Note:  The page is not dynamic, so the results will not change unless the page is refreshed).

10. Click "Stop Capture".  

It is important at this point to obtain the logs before they are irretrievably lost.  While a stopped packet capture will remain in the buffer until removed, logs will not.

In order to obtain the corresponding logs for 5.8 or 6.1 firmware:

1. Navigate to Log | View
2. Click "Export Logs"
3. Select "CSV (Comma Separated Value)" and Save the file.

In order to obtain the corresponding logs for 5.9 or 6.2 firmware:

1. Navigate to Log | Log Monitor
2. Click the "CSV" button at the top of the page
3. Save the file.

In order to obtain the corresponding logs for 6.5 firmware and higher:

1. Navigate to INVESTIGATE | Event Logs
2. Click the "CSV" button at the top of the page
3. Save the file.

Once the logs have been obtained, navigate back to INVESTIGATE | Packet Monitor and save the Libpcap and HTML versions of the capture.  Only the Libpcap version can provide data for deep analysis (using Wireshark, an industry standard utility), and only the HTML file can provide data specific to the SonicWall (Such as interface information, drop codes, module ID's, etc):

1. Use the "Export As" drop-down menu to select "LIBPCAP" and save the .cap file provided.
2. Use the "Export As" drop-down menu to select "HTML" and save the .HTML file provided (note:  Some browsers will attempt to open this file.  If this happens, use ALT+F or "File" and select "Save As" to save the .HTML file.

When finished, you will have three files that can help determine the problem.  You can analyze these or provide them to tech support:

• A .csv copy of the logs,
• A .cap version of the packet capture, and
• A .HTML version of the packet capture.