Capture non IP traffic (ARP, DHCP requests)

Post your thoughts and suggestions here!
Post Reply
SECOIT GmbH
Posts: 39
Joined: 13 Feb 2018, 16:20
Contact:

Capture non IP traffic (ARP, DHCP requests)

Post by SECOIT GmbH » 08 Jun 2020, 20:36

When capturing traffic I have to select either all protocols or TCP/UDP/ICMP (and I can give the IP protocol number when I use the CLI).
But because of the limited ressources for E/W-Series cOS Core gateways the buffer can fill up in few seconds.

One issue I have to troubleshoot a lot are wireless issues. So most important is to capture non IP traffic (ARP, DHCP requests) and UDP traffic. But when I select UDP it will only show UDP traffic. Selecting Protocol "Any" does capture all I need but again - the limits are far too small.

What would really help a lot troubleshooting is a check box to capture non IP traffic so when I select UDP (for example) as protocol so I can additionally see ARPs etc.
Or... even better:
Ditch the dropdown list and make five checkboxes:
- Any (this will grey out the other check boxes)
- TCP
- UDP
- ICMP
- Non IP

Traffic capturing is extremely important for troubleshooting and where other firewall manufacturers log to a bigger disk, to external storage or directly to the browser session (admin's disk is the limit) we are limited to only 512 MB (which most of the time won't work so basically 256 MB is the maximum). Considering this limitation it would be great to make capturing mire useful.

I'm aware that I can combine UDP and ICMP for example using the CLI but even there I have not found an option to capure non IP when limiting protocol to UDP for example.
Best Rregards
Michael

anders s
Posts: 35
Joined: 27 Sep 2011, 14:41

Re: Capture non IP traffic (ARP, DHCP requests)

Post by anders s » 15 Jun 2020, 14:48

You can limit the data per packet with -snaplen but I would also like to be to use multiple filters and also exclusions (like netcon/ssh)

Post Reply