Capture non IP traffic (ARP, DHCP requests)

Post your thoughts and suggestions here!
Post Reply
SECOIT GmbH
Posts: 39
Joined: 13 Feb 2018, 16:20
Contact:

Capture non IP traffic (ARP, DHCP requests)

Post by SECOIT GmbH » 08 Jun 2020, 20:36

When capturing traffic I have to select either all protocols or TCP/UDP/ICMP (and I can give the IP protocol number when I use the CLI).
But because of the limited ressources for E/W-Series cOS Core gateways the buffer can fill up in few seconds.

One issue I have to troubleshoot a lot are wireless issues. So most important is to capture non IP traffic (ARP, DHCP requests) and UDP traffic. But when I select UDP it will only show UDP traffic. Selecting Protocol "Any" does capture all I need but again - the limits are far too small.

What would really help a lot troubleshooting is a check box to capture non IP traffic so when I select UDP (for example) as protocol so I can additionally see ARPs etc.
Or... even better:
Ditch the dropdown list and make five checkboxes:
- Any (this will grey out the other check boxes)
- TCP
- UDP
- ICMP
- Non IP

Traffic capturing is extremely important for troubleshooting and where other firewall manufacturers log to a bigger disk, to external storage or directly to the browser session (admin's disk is the limit) we are limited to only 512 MB (which most of the time won't work so basically 256 MB is the maximum). Considering this limitation it would be great to make capturing mire useful.

I'm aware that I can combine UDP and ICMP for example using the CLI but even there I have not found an option to capure non IP when limiting protocol to UDP for example.
Best Rregards
Michael

anders s
Posts: 35
Joined: 27 Sep 2011, 14:41

Re: Capture non IP traffic (ARP, DHCP requests)

Post by anders s » 15 Jun 2020, 14:48

You can limit the data per packet with -snaplen but I would also like to be to use multiple filters and also exclusions (like netcon/ssh)

Anton
Posts: 28
Joined: 16 Jun 2016, 18:50
Location: Clavister HQ - Örnsköldsvik

Re: Capture non IP traffic (ARP, DHCP requests)

Post by Anton » 14 minutes ago

Hello

Basically all the features I want 8-)

I have created some RFEs (Request for enhancements) where we will look into the possibility to add such features:
COP-22871 - Make it possible to filter on none IP protocols
I would also like to mention the <arpsnoop> command you could use this to troubleshoot ARP and also <logsnoop -on -category=DHCP> to troubleshoot DHCP.

COP-22872 - Make it possible to filter on multiple protocols from the WebUI, for if COP-22872 is implemented.

COP-22873 - Make it possible to exclude ports or protocols from the packet capture.
side not on this is that you can do this today somewhat using the -ports flag for example -port=80,443,53 will filter on these ports. Or -port=1-1024,8000,9000 will filter on port range 1-1024 port 8000 and 9000

COP-20959 - Investigate support Remote Capture (rpcap) or sshdump in pcap

Best regards
Anton

Post Reply