[ATP/FLEX] How to capture packets on Nebula Firewall
Zyxel Employee
Scenario
Packet-trace is a CLI-based packet capturing tool on device. It can be used to sniffer and analyze network traffic by intercepting and displaying packets transmitted in the network interface.
This example illustrates how to capture packets in CLI mode on Nebula.
Demonstration
You may skip step 1) if you access SSH service from LAN interface of the device.
1) Create a security policy to allow SSH service from wan interface.
By default, it is unable to access device SSH service from wan interface when the device is managed by nebula. There is no Implicit firewall rule to allow device SSH access from wan.
Go
to Configure > Firewall > Security Policy. 
In
Implicit allow rules, there is no implicit rule to allow SSH access from wan to Device TCP 22 port
Click Add to create a security policy rule to allow SSH access from Wan.
Action = Allow
Protocol = TCP
Source = Any
Destination = Device
Dst Port = 22
*For security concern, we strongly suggest you add trusted IP to Source IP, instead of any.
Click Save to commit setting to Nebula.
2) Go
to Configure > Site settings to check local
credentials.
3) SSH to device, and log in with local credentials.
4) Type CLI
Router> show sdwan interface to check available
interface.
Now we can start to capture packets on device to analysis and sniffer network packets. In the following examples, we use commands to capture packets on lan1 interface. You need to enter vlan3222 instead of lan1.
Basic filter syntax - packet-trace interface [interface name]
Capture packets on:
Specific interface
-Router> packet-trace interface vlan3222
Specific source IP
-Router> packet-trace interface vlan3222 src-host X.X.X.X
Specific destination IP
-Router> packet-trace interface vlan3222 dst-host X.X.X.X
Specific service port
-Router> packet-trace interface vlan3222 port XXXXX
Specific IP protocol
-Router> packet-trace interface vlan3222 ip-proto [icmp|esp|ah|tcp|udp|gre]
Protocol name can also be replaced by protocol number
eg. Protocol number 1= ICMP
Extension filter syntax - packet-trace interface [interface name] extension-filter
Apply filter for ICMP
-Router> packet-trace interface vlan3222 extension-filter icmp
Apply filter for ARP
-Router> packet-trace interface vlan3222 extension-filter arp
Apply filter for specific IP
-Router> packet-trace interface vlan3222 extension-filter host X.X.X.X
Apply filter for dst/src IP
-Router> packet-trace interface vlan3222 extension-filter [dst|src] X.X.X.X
Apply filter for subnet
-Router> packet-trace interface vlan3222 extension-filter X.X.X.X/n n=mask
Apply filter for tcp/udp service port
-Router> packet-trace interface vlan3222 extension-filter [udp|tcp port] XXXXX
Combination
And
-Router> packet-trace interface vlan3222 extension-filter host 192.168.1.33 and port 80
Or
-Router> packet-trace interface vlan3222 extension-filter dst 8.8.8.8 or dst 168.95.1.1
Except
-Rourter>packet-trace interface vlan3222 extension-filter host 8.8.8.8 and not icmp
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 165 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 365 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 263 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight