Overview

This functionality enables monitoring of IPv4 or IPv6 packets according to a user-defined log expression. The expression must be defined using special symbols. Kerio Control also offers the creation and downloading of packet dumps. The packet dump saves the wanted traffic to a file that can be downloaded and opened by Wireshark.

Solution

Administration access to Kerio Control is required for making any changes here. There are 2 points that can help in identifying packet related issues:

• Configuring packet logging
• Creating and downloading packet dumps

Configuring packet logging

1. In the administration interface, go to Logs > Debug.
2. In the context menu, click Packet Logging.
   
3. Type an expression (information related to expressions and related examples are below).
4. Click OK.

Note: Packet logging can be canceled by removing the expression entry.

Logical Expression

Packets can be described by logical expressions following this pattern:

variable1 = value1 & variable2 = value2 | variable3 = value3

where:

• variable1 ... variableN are characteristic information about the packet (see below)
• & is the logical operator and
• | is the logical operator or

Interpretation of logical expressions

Expressions are parsed according to the priority of the individual operators: the &operator is parsed before |. If multiple conditions are connected by the same operator, the expression is parsed from left to right. If necessary, parentheses can be used to determine the priority of conditions:

variable1 = value1 & (variable2 = value2 | variable3 = value3)

Variables

The following variables can be used in logical expressions defining packets:

any - All IP packets are logged (the condition is always met). It would be meaningless to combine any option with other condition(s).

addr/ - Source or destination IP address of the packet.

saddr - Source IP address.

daddr - Destination IP address.

Define conditions for addr, saddr, daddr as follows:

For IPv6 protocol, you can enter only host addresses. It is not possible to specify a subnet by the prefix and its length or by an address range.

port - A number of the source or destination port (TCP or UDP).

sport - Source port number.

dport - Destination port number.

if - Interface (in any direction).

iif - Incoming interface.

oif - Outgoing interface.

Allowed conditions:

direc - Packet direction:

• = in — incoming packet
• = out — outgoing packet

tcpfl - Flags in TCP header.

Options: FIN SYN RST PSH ACK URG NONE (none) ALL (all).

Any TCP packet containing specified flags (their value is 1) meets the condition. Flags not used in the specification are ignored.

Individual flags of the tcpfl variable can be marked either by the + symbol (the flag is enabled) or by the - symbol (the flag is disabled). All conditions are flagged by default unless one of these symbols is used.

Example: The tcpfl = SYN +ACK -RST expression is met by any packet flagged by SYN and ACK that has a disabled RST flag.

Examples

This logical expression defines Microsoft Networking service packets at the Internet interface:

if = "Internet" & (port >= 137 & port <= 139 | port = 445)

This expression defines packets going out through the Internet interface and directed to the WWW server with IP address 123.32.45.67 at port 80or 8080:

oif = "Internet" & daddr = 123.32.45.67 & (dport = 80 | dport = 8080)

This expression defines incoming TCP packets flagged by SYN (TCP connection establishment):

direc = in & tcpfl = SYN

Creating and downloading packet dumps

1. In the administration interface, go to Logs > Debug.
2. In the context menu, click Packet Dump To File.
   
3. Type an expression (SIP traffic example).
   
4. To create the packet dump and start logging, click Start.
5. Do you have enough information? If yes, then, click Stop.
6. Click Download and save the file to your computer.