How To – Monitor Packet Flow in Cyberoam

How To – Monitor Packet Flow in Cyberoam

Applicable Version: 10.00 onwards

Overview
You can monitor packet flow from Cybroam CLI using the tcpdump command.

tcpdump is a packet capture tool that allows interception and capture of packets passing through a
network interface, making it useful for understanding and troubleshooting network layer problems. It
helps in monitoring packet flow coming on interface, response for each packet, packet drop, and ARP
information. tcpdump prints out the headers of packets on a network interface that match the Boolean
expression.

Note:

This utility is not of much help in identifying and troubleshooting problems related to Application.

Command Description
Use tcpdump from Cyberoam Telnet Console or from Cyberoam CLI.

How to view traffic of the tcpdump command Example

specific host tcpdump ‘host <ipaddress>‘ tcpdump ‗host 10.10.10.1‘
specific source host tcpdump ‘src host <ipaddress>‘ tcpdump ‗src host 10.10.10.1‘
specific destination host tcpdump ‘dst host <ipaddress>‘ tcpdump ‗dst host 10.10.10.1‘
specific network tcpdump ‘net <network address>‘ tcpdump ‗net 10.10.10‘
specific source network tcpdump ‘src net <network address>‘ tcpdump ‗src net 10.10.10‘
specific destination network tcpdump ‘dst net <network address>‘ tcpdump ‗dst net 10.10.10‘
specific port tcpdump ‘port <port-number>‘ tcpdump ‗port 21‘
specific source port tcpdump ‘src port <port-number>‘ tcpdump ‗src port 21‘
specific destination port tcpdump ‘dst port <port-number>‘ tcpdump ‗dst port 21‘
specific host for the tcpdump ‗host <ipaddress> and port tcpdump ‗host 10.10.10.1 and
particular port <port-number>‘ port 21‘
the specific host for all the tcpdump ‗host <ipaddress> and port tcpdump ‗host 10.10.10.1 and
ports except SSH not <port-number>‘ port not 22‘
tcpdump ‘proto ICMP‘
tcpdump ‘proto UDP‘
specific protocol
tcpdump ‘proto TCP‘
tcpdump ‗arp‘
paritcular interface tcpdump interface <interface> tcpdump interface PortB
specific port of a particular tcpdump interface <interface> ‗port tcpdump interface PortB ‗port
interface <port-number>‘ 21‘
 How To – Monitor Packet Flow in Cyberoam

Note:

Expression can be combined using logical operators AND or OR and with NOT also. Make sure to
use different combinations within single quotes.

Analyzing TCPDUMP Output

console> tcpdump 'port 21'

tcpdump: Starting Packet Dump

1. 13:27:14.453378 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [S],

seq 3632672926, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK],
length 0
2. 13:27:14.453983 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [S],
seq 3632672926, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK],
length 0
3. 13:27:14.685967 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [S.],
seq 1058429879, ack 3632672927, win 5840, options [mss
1460,nop,nop,sackOK,nop,wscale 8], length 0
4. 13:27:14.686378 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[S.], seq 1058429879, ack 3632672927, win 5840, options [mss
1460,nop,nop,sackOK,nop,wscale 8], length 0
5. 13:27:14.686903 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.],
ack 1, win 2048, length 0
6. 13:27:14.687140 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.],
ack 1, win 2048, length 0
7. 13:27:14.921018 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [P.],
ack 1, win 23, length 20
8. 13:27:14.921397 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[P.], ack 1, win 23, length 20
9. 13:27:15.121914 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.],
ack 21, win 2043, length 0
10. 13:27:15.122249 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.],
ack 21, win 2043, length 0
11. 13:27:18.781053 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [P.],
ack 21, win 2043, length 19
12. 13:27:18.781424 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [P.],
ack 21, win 2043, length 19
13. 13:27:19.013605 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [.],
ack 20, win 23, length 0
14. 13:27:19.013629 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [P.],
ack 20, win 23, length 34
15. 13:27:19.014028 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[.], ack 20, win 23, length 0
16. 13:27:19.014257 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[P.], ack 20, win 23, length 34
17. 13:27:19.213374 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.],
ack 55, win 2034, length 0
18. 13:27:19.213734 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.],
ack 55, win 2034, length 0
19. 13:27:21.429606 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [P.],
ack 55, win 2034, length 22
 How To – Monitor Packet Flow in Cyberoam

20. 13:27:21.430018 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [P.],

ack 55, win 2034, length 22
21. 13:27:21.701511 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [.],
ack 42, win 23, length 0
22. 13:27:21.701820 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[.], ack 42, win 23, length 0
23. 13:27:21.970660 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [P.],
ack 42, win 23, length 23
24. 13:27:21.971040 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[P.], ack 42, win 23, length 23
25. 13:27:22.173594 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.],
ack 78, win 2028, length 0
26. 13:27:22.173909 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.],
ack 78, win 2028, length 0
27. 13:27:23.188769 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [P.],
ack 78, win 2028, length 6
28. 13:27:23.189153 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [P.],
ack 78, win 2028, length 6
29. 13:27:23.421626 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [.],
ack 48, win 23, length 0
30. 13:27:23.421651 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [P.],
ack 48, win 23, length 14
31. 13:27:23.422035 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[.], ack 48, win 23, length 0
32. 13:27:23.422266 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[P.], ack 48, win 23, length 14
33. 13:27:23.423114 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [F.],
seq 92, ack 48, win 23, length 0
34. 13:27:23.423299 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[F.], seq 92, ack 48, win 23, length 0
35. 13:27:23.424184 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.],
ack 93, win 2025, length 0
36. 13:27:23.424419 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.],
ack 93, win 2025, length 0
37. 13:27:23.426540 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [F.],
seq 48, ack 93, win 2025, length 0
38. 13:27:23.426760 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [F.],
seq 48, ack 93, win 2025, length 0
39. 13:27:24.135438 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [.],
ack 49, win 23, length 0
40. 13:27:24.135726 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags
[.], ack 49, win 23, length 0

st
1 line:
Brown color shows timestamp of the packet
Green color shows the incoming interface
Purple color shows direction of packet flow i.e., IN/OUT
Blue color shows source address who originates the request
Grey color shows port used by source address
Red color shows destination IP address
Orange color shows port of destination
Maroon color shows flag of particular packet.

1st line shows a new connection originated by 10.120.16.100 IP address and destined for
192.168.1.39 to access FTP services . This is first packet so flag is set to ‗S‘ (Sync)
 How To – Monitor Packet Flow in Cyberoam

nd
2 line: Cyberoam NATs the private IP 10.120.16.100 and sends Sync request to 192.168.1.39 on
behalf of it using its own public IP 10.103.4.247..

3rd line: This packet is the response coming back from server to Cyberoam with Ack for Sync packet.
This is nothing but ―Syn-Ack‖ packet with flag set as ‗S.‘.

4th Line: Cyberoam forwards Syn-Ack packet to private IP.

th
5 line: To complete Three-way handshake, private IP sends Ack packet to Cyberoam. Flag is set to
‗.‘.

th
6 line: Cyberoam forwards Ack packet to FTP server.

For any tcp connection first few lines represent the Three-way Handshake which involve
1. Source to Destination-- Sync
2. Destination to Source-- Sync-Ack
3. Source to Destination—Ack

th nd
7 to 32 lines: Push packet (Data Packet) containin ―P‖ & ―P.‖ Flag

rd th
33 and 34 line: Termination of FTP connection. FTP server sends FIN packet to Cyberoam which
forwards it to private IP.

th th
35 and 36 packet: Private IP sends ack packet to Cyberoam which forwards it to FTP server.

th th
37 and 38 line: Private IP sends FIN packet to Cyberoam which forwards it to FTP server.

th th
39 and 40 packet: Server sends ack packet to Cyberoam which forwards it to private IP.

Flag Information:

S – Sync packet for new connection

S. – Sync packet with ―ack‖
P. – Push packet containing Data
. -- No data information, only ―ack‖
F. – FIN packet which provides information of termination of connection
R – Reset packet, Packet which dropped in between somewhere at firewall end
 How To – Monitor Packet Flow in Cyberoam

Advanced Usage

 To view packet contents in hexadecimal notations, execute the following command:

console> tcpdump hex "port 23"

tcpdump: Starting Packet Dump

13:40:40.737451 PortA, OUT: IP 10.120.16.1.23 > 10.120.16.100.59384: Flags

[S.], seq 279170894, ack 2807241456, win 5840, options [mss
1460,nop,nop,sackOK,nop,wscale 6], length 0

0x0000: 4500 0034 0000 4000 4006 0570 0a78 1001

0x0010: 0a78 1064 0017 e7f8 10a3 cf4e a753 1af0

0x0020: 8012 16d0 9898 0000 0204 05b4 0101 0402

0x0030: 0103 0306

13:40:40.738181 PortA, IN: IP 10.120.16.100.59384 > 10.120.16.1.23: Flags [.],

ack 1, win 4096, length 0

0x0000: 4500 0028 535b 4000 4006 b220 0a78 1064

0x0010: 0a78 1001 e7f8 0017 a753 1af0 10a3 cf4f

0x0020: 5010 1000 e039 0000 0000 0000 0000

13:40:40.760134 PortA, IN: IP 10.120.16.100.59384 > 10.120.16.1.23: Flags [P.],

ack 1, win 4096, length 3

0x0000: 4500 002b 535d 4000 4006 b21b 0a78 1064

0x0010: 0a78 1001 e7f8 0017 a753 1af0 10a3 cf4f

0x0020: 5018 1000 dd30 0000 fffd 0300 0000

13:40:40.760187 PortA, OUT: IP 10.120.16.1.23 > 10.120.16.100.59384: Flags [.],

ack 4, win 92, length 0

0x0000: 4500 0028 fda1 4000 4006 07da 0a78 1001

0x0010: 0a78 1064 0017 e7f8 10a3 cf4f a753 1af3

0x0020: 5010 005c efda 0000

13:40:40.773653 PortA, OUT: IP 10.120.16.1.23 > 10.120.16.100.59384: Flags [P.],

ack 4, win 92, length 15

0x0000: 4500 0037 fda2 4000 4006 07ca 0a78 1001

0x0010: 0a78 1064 0017 e7f8 10a3 cf4f a753 1af3

0x0020: 5018 005c 357e 0000 fffd 01ff fd1f fffd

 How To – Monitor Packet Flow in Cyberoam

0x0030: 21ff fb01 fffb 03

13:40:40.774271 PortA, IN: IP 10.120.16.100.59384 > 10.120.16.1.23: Flags [P.],

ack 16, win 4092, length 21

0x0000: 4500 003d 535f 4000 4006 b207 0a78 1064

0x0010: 0a78 1001 e7f8 0017 a753 1af3 10a3 cf5e

0x0020: 5018 0ffc 24d8 0000 fffc 01ff fb1f fffa

0x0030: 1f00 8400 2dff f0ff fb21 fffd 01

 To view packet contents with Ethernet or other layer 2 header information

console> tcpdump llh 'host 10.120.16.1'

tcpdump: Starting Packet Dump

13:37:58.229889 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800),

length 815: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length:
771

13:37:58.269046 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800),

length 812: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length:
768

13:37:58.679279 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800),

length 812: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length:
768

13:37:58.746161 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800),

length 837: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length:
793

13:37:58.763740 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800),

length 763: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length:
719

13:37:58.781331 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800),

length 824: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length:
780

13:37:58.825464 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800),

length 667: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length:
623

13:37:59.077341 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800),

length 825: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length:
781
 How To – Monitor Packet Flow in Cyberoam

Generate binary file of traffic log generated with custom parameters

Cyberoam also supports to save and download the tcpdump output in a binary file from Telnet
Console.
File tcpdump contains the troubleshooting information useful to analyze the traffic with advanced tool
like ethereal for Cyberoam Support team.

To save the output in the downloadable file, log on to Telnet Console:

 Go to Option 4 Cyberoam Console

 At the command prompt, issue the command:
tcpdump <criteria> filedump

Cyberoam saves this file under the name tcpdump.pcap

Download from http://<cyberooam_ip>/documents/tcpdump.pcap and email this file to

Cyberoam Support team at support@cyberoam.com.

Monitoring VPN traffic

Cyberoam automatically configures VPN IPSec interface for each WAN port configured. For
example, if Port B and Port C are configured as WAN ports then Cyberoam configures ipsec0 and
ipsec1 for Port B and Port C respectively.

Use these ipsec ports to monitor VPN traffic e.g. tcpdump “-i ipsec0”

Document Version: 3.0 - 27/09/2012