Packet capture export contains no IPs or information in it

GrdLock

We're needing to grab a packet capture from a NSA 5600 and send to Cisco support - they're having trouble with a Meraki site-to-site VPN with our Sonicwall. Only problem, I do the packet capture, the data on the Sonicwall interface looks perfectly fine, however when I export it, I get nothing. Junk.

This is what the packet capture data looks like when exported. I tried html and text exports as well, same thing. Thought maybe it was a firmware bug, I upgraded the units to 6.5.4.5-53n, which I have on another Sonicwall that exports just fine, and same problem.

Not really sure what else to look at. We don't have support on the unit. Makes no sense why the data would be perfectly fine within the Sonicwall packet capture UI, but then export completely empty junk.

Anyone ever seen this?

Saravanan

Hi @GRDLOCK,

I hope you are safe and doing good.

As per your screenshot, the captured packets doesn't look like valid ones. I believe the packet monitor on the firewall is set for capturing packets based on only Interfaces. This could be the possible reason for invalid packets showing on this exported capture file.

My recommendation is to setup the packet monitor on the firewall for the scenario that you are in need of the capture file. For example, you want to trace and capture packets on the SonicWall for Internet access, you have to configure the packet monitor with information such as Ether Type: IP, IP Type: TCP, specify Source IP or Destination IP if you know. The interface name in the packet monitor field can be used along with these fields Ether Type, IP Type, etc,., for better capture results.

Please find the KB article for better view on the packet monitor feature of SonicWall and to capture the packets for any scenario in SonicWall.

https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-and-utilize-the-packet-monitor-feature-for-troubleshooting/170513143911627/

I hope this helps you!!!

Please feel free to update here for any further clarifications.

BWC

Hi @GrdLock

you should set your Monitor Filter just for the relevant traffic, having non IP packet captured makes no sense. Never had any trouble that export got messed up that way you described.

--Michael@BWC

GrdLock

Looks like this did it... I had the monitor filter configured using two source IP addresses... so figured that was enough. However I just tried again and added IP for the ether type and TCP,UDP for the IP type, and now it exports properly.

Thanks!