Overview
This functionality enables monitoring of IPv4 or IPv6 packets according to a user-defined log expression. The expression must be defined using special symbols. Kerio Control also offers the creation and downloading of packet dumps. The packet dump saves the wanted traffic to a file that can be downloaded and opened by Wireshark.
Solution
Administration access to Kerio Control is required for making any changes here. There are 2 points that can help in identifying packet related issues:
Configuring packet logging
- In the administration interface, go to Logs > Debug.
- In the context menu, click Packet Logging.
- Type an expression (information related to expressions and related examples are below).
- Click OK.
Note: Packet logging can be canceled by removing the expression entry.
Logical Expression
Packets can be described by logical expressions following this pattern:
variable1 = value1 & variable2 = value2 | variable3 = value3
where:
variable1 ... variableN
are characteristic information about the packet (see below)&
is the logical operator and|
is the logical operator or
Interpretation of logical expressions
Expressions are parsed according to the priority of the individual operators: the &
operator is parsed before |
. If multiple conditions are connected by the same operator, the expression is parsed from left to right. If necessary, parentheses can be used to determine the priority of conditions:
variable1 = value1 & (variable2 = value2 | variable3 = value3)
Variables
The following variables can be used in logical expressions defining packets:
any - All IP packets are logged (the condition is always met). It would be meaningless to combine any option with other condition(s).
addr/ - Source or destination IP address of the packet.
saddr - Source IP address.
daddr - Destination IP address.
Define conditions for addr, saddr, daddr as follows:
Condition | Description |
---|---|
= 1.2.3.4 | IPv4 address of the host |
= 1.2.3.4/255.255.255.0 | subnet defined by the network IPv4 address and a corresponding subnet mask |
= 1.2.3.4/24 | subnet defined by the network IPv4 address and number of bits of the corresponding subnet mask |
= 1.2.3.4-1.2.3.10 | IPv4 range (inclusive) |
= 2001:abcd:1234::1 | IPv6 address of the host |
= list:"name of IP group" | IP address group |
= user:"user1,user2,[group1],user3,[group2]" | IP addresses of hosts from which the users are connected |
For IPv6 protocol, you can enter only host addresses. It is not possible to specify a subnet by the prefix and its length or by an address range.
port - A number of the source or destination port (TCP or UDP).
sport - Source port number.
dport - Destination port number.
if - Interface (in any direction).
iif - Incoming interface.
oif - Outgoing interface.
Allowed conditions:
Condition | Description |
---|---|
= "interface name" | Interface name used by Kerio Control |
= vpnclient | Any VPN client |
= vpn | Any VPN client |
= vpn:"name of VPN connection" | Name of VPN connection |
direc - Packet direction:
- = in — incoming packet
- = out — outgoing packet
tcpfl - Flags in TCP header.
Options: FIN SYN RST PSH ACK URG NONE (none) ALL (all).
Any TCP packet containing specified flags (their value is 1) meets the condition. Flags not used in the specification are ignored.
Individual flags of the tcpfl variable can be marked either by the + symbol (the flag is enabled) or by the - symbol (the flag is disabled). All conditions are flagged by default unless one of these symbols is used.
Example: The tcpfl = SYN +ACK -RST expression is met by any packet flagged by SYN and ACK that has a disabled RST flag.
Examples
This logical expression defines Microsoft Networking service packets at the Internet interface:
if = "Internet" & (port >= 137 & port <= 139 | port = 445)
This expression defines packets going out through the Internet interface and directed to the WWW server with IP address 123.32.45.67
at port 80
or 8080
:
oif = "Internet" & daddr = 123.32.45.67 & (dport = 80 | dport = 8080)
This expression defines incoming TCP packets flagged by SYN (TCP connection establishment):
direc = in & tcpfl = SYN
Creating and downloading packet dumps
- In the administration interface, go to Logs > Debug.
- In the context menu, click Packet Dump To File.
- Type an expression (SIP traffic example).
- To create the packet dump and start logging, click Start.
- Do you have enough information? If yes, then, click Stop.
- Click Download and save the file to your computer.