[ATP/FLEX] How to capture packets on Nebula Firewall
Guru Member
Scenario
Packet-trace is a CLI-based packet capturing tool on device. It can be used to sniffer and analyze network traffic by intercepting and displaying packets transmitted in the network interface.
This example illustrates how to capture packets in CLI mode on Nebula.
Demonstration
You may skip step 1) if you access SSH service from LAN interface of the device.
1) Create a security policy to allow SSH service from wan interface.
By default, it is unable to access device SSH service from wan interface when the device is managed by nebula. There is no Implicit firewall rule to allow device SSH access from wan.
Go
to Firewall > Configure > Security policy. 
In
Implicit allow rules, there is no implicit rule to allow SSH access from wan to Device TCP 22 port
Click Add to create a security policy rule to allow SSH access from Wan.
Action = Allow
Protocol = TCP
Source = Any
Destination = Device
Dst Port = 22
*For security concern, we strongly suggest you add trusted IP to Source IP, instead of any.
Click Save to commit setting to Nebula.
2) Go
to Site-wide > Configure > General settings to check local
credential.
3) SSH to device, and log in with local credential.
4) Type CLI
Router> show sdwan interface to check available
interface.
Now we can start to capture packets on device to analysis and sniffer network packets. In the following examples, we use commands to capture packets on lan1 interface. You need to enter vlan3222 instead of lan1.
Basic filter syntax - packet-trace interface [interface name]
Capture packets on:
Specific interface
-Router> packet-trace interface vlan3222
Specific source IP
-Router> packet-trace interface vlan3222 src-host X.X.X.X
Specific destination IP
-Router> packet-trace interface vlan3222 dst-host X.X.X.X
Specific service port
-Router> packet-trace interface vlan3222 port XXXXX
Specific IP protocol
-Router> packet-trace interface vlan3222 ip-proto [icmp|esp|ah|tcp|udp|gre]
Protocol name can also be replaced by protocol number
eg. Protocol number 1= ICMP
Extension filter syntax - packet-trace interface [interface name] extension-filter
Apply filter for ICMP
-Router> packet-trace interface vlan3222 extension-filter icmp
Apply filter for ARP
-Router> packet-trace interface vlan3222 extension-filter arp
Apply filter for specific IP
-Router> packet-trace interface vlan3222 extension-filter host X.X.X.X
Apply filter for dst/src IP
-Router> packet-trace interface vlan3222 extension-filter [dst|src] X.X.X.X
Apply filter for subnet
-Router> packet-trace interface vlan3222 extension-filter X.X.X.X/n n=mask
Apply filter for tcp/udp service port
-Router> packet-trace interface vlan3222 extension-filter [udp|tcp port] XXXXX
Combination
And
-Router> packet-trace interface vlan3222 extension-filter host 192.168.1.33 and port 80
Or
-Router> packet-trace interface vlan3222 extension-filter dst 8.8.8.8 or dst 168.95.1.1
Except
-Rourter>packet-trace interface vlan3222 extension-filter host 8.8.8.8 and not icmp
Categories
- 8.1K All Categories
- 1.6K Nebula
- 59 Nebula Ideas
- 54 Nebula Status and Incidents
- 4.3K Security
- 222 Security Ideas
- 936 Switch
- 42 Switch Ideas
- 818 WirelessLAN
- 19 WLAN Ideas
- 5K Consumer Product
- 136 Service & License
- 266 News and Release
- 52 Security Advisories
- 13 Education Center
- 536 FAQ
- 252 Nebula FAQ
- 132 Security FAQ
- 73 Switch FAQ
- 72 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 66 About Community
- 44 Security Highlight