Beruflich Dokumente
Kultur Dokumente
Overview
You can monitor packet flow from Cybroam CLI using the tcpdump command.
tcpdump is a packet capture tool that allows interception and capture of packets passing through a
network interface, making it useful for understanding and troubleshooting network layer problems. It
helps in monitoring packet flow coming on interface, response for each packet, packet drop, and ARP
information. tcpdump prints out the headers of packets on a network interface that match the Boolean
expression.
Note:
This utility is not of much help in identifying and troubleshooting problems related to Application.
Command Description
Use tcpdump from Cyberoam Telnet Console or from Cyberoam CLI.
Note:
Expression can be combined using logical operators AND or OR and with NOT also. Make sure to
use different combinations within single quotes.
st
1 line:
Brown color shows timestamp of the packet
Green color shows the incoming interface
Purple color shows direction of packet flow i.e., IN/OUT
Blue color shows source address who originates the request
Grey color shows port used by source address
Red color shows destination IP address
Orange color shows port of destination
Maroon color shows flag of particular packet.
1st line shows a new connection originated by 10.120.16.100 IP address and destined for
192.168.1.39 to access FTP services . This is first packet so flag is set to ‗S‘ (Sync)
How To – Monitor Packet Flow in Cyberoam
nd
2 line: Cyberoam NATs the private IP 10.120.16.100 and sends Sync request to 192.168.1.39 on
behalf of it using its own public IP 10.103.4.247..
3rd line: This packet is the response coming back from server to Cyberoam with Ack for Sync packet.
This is nothing but ―Syn-Ack‖ packet with flag set as ‗S.‘.
th
5 line: To complete Three-way handshake, private IP sends Ack packet to Cyberoam. Flag is set to
‗.‘.
th
6 line: Cyberoam forwards Ack packet to FTP server.
For any tcp connection first few lines represent the Three-way Handshake which involve
1. Source to Destination-- Sync
2. Destination to Source-- Sync-Ack
3. Source to Destination—Ack
th nd
7 to 32 lines: Push packet (Data Packet) containin ―P‖ & ―P.‖ Flag
rd th
33 and 34 line: Termination of FTP connection. FTP server sends FIN packet to Cyberoam which
forwards it to private IP.
th th
35 and 36 packet: Private IP sends ack packet to Cyberoam which forwards it to FTP server.
th th
37 and 38 line: Private IP sends FIN packet to Cyberoam which forwards it to FTP server.
th th
39 and 40 packet: Server sends ack packet to Cyberoam which forwards it to private IP.
Flag Information:
Advanced Usage
Use these ipsec ports to monitor VPN traffic e.g. tcpdump “-i ipsec0”