cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

wireshark .pcap - capture before or after firewall

Jump to solution

When doing a packet capture on an adtran, as referenced here:

https://supportforums.adtran.com/thread/1442


When is the packet captured for inbound WAN traffic? Before or after the firewall?


What I want to find out is if the firewall is dropping the packet or not. If the capture happens after the firewall, the test would not be a valid test, however, if it is before the Adtran takes and firewall or NAT actions, then I should have a good test.


Thanks!

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: wireshark .pcap - capture before or after firewall

Jump to solution

@andrew-jive - Thanks for posting your question on the forum!

To answer your question, the packet capture will show the packet before the firewall takes any action on it. For example, if you were attempting to get a packet capture of pings hitting the NetVanta WAN IP, and pings were being blocked on the firewall, you would still see the packet hit the router and in your debug before the firewall dropped it.

If the unit is running a firewall, you will probably see every packet twice (once entering the firewall & once leaving, depending on the ACL you are using); the second may be after a NAT process if NAT is enabled. Furthermore, if the traffic is across a VPN, the second packet will not be seen since it enters/leaves the router encapsulated in VPN.


Let us know if you have any further questions.


Thanks,

Noor

View solution in original post

0 Kudos
5 Replies
Anonymous
Not applicable

Re: wireshark .pcap - capture before or after firewall

Jump to solution

@andrew-jive - Thanks for posting your question on the forum!

To answer your question, the packet capture will show the packet before the firewall takes any action on it. For example, if you were attempting to get a packet capture of pings hitting the NetVanta WAN IP, and pings were being blocked on the firewall, you would still see the packet hit the router and in your debug before the firewall dropped it.

If the unit is running a firewall, you will probably see every packet twice (once entering the firewall & once leaving, depending on the ACL you are using); the second may be after a NAT process if NAT is enabled. Furthermore, if the traffic is across a VPN, the second packet will not be seen since it enters/leaves the router encapsulated in VPN.


Let us know if you have any further questions.


Thanks,

Noor

0 Kudos
Anonymous
Not applicable

Re: wireshark .pcap - capture before or after firewall

Jump to solution

Noor,

Thanks, for some reason when I capture, I'm not seeing the double you speak of for any of the inbound traffic. I do however, see double (before and after NAT) for the outbound traffic.

All I have setup is the following:

ip access-list extended TEST

permit udp any any range 5060 5061

!

then I run:

debug ip packet TEST dump

Anonymous
Not applicable

Re: wireshark .pcap - capture before or after firewall

Jump to solution

@andrew-jive - Could you post your access-policies, ACLs referenced in the access-policies, and which interfaces they are assigned to? Please remember to remove any information that may be sensitive to your network.

Thanks,

Noor

Anonymous
Not applicable

Re: wireshark .pcap - capture before or after firewall

Jump to solution

!

!

interface eth 0/1

  ip address  192.168.103.1  255.255.255.0

  ip address  3.3.3.3  255.255.255.248  secondary

  access-policy Private

  media-gateway ip primary

  no shutdown

!

!

interface t1 0/1

  tdm-group 1 timeslots 1-24 speed 64

  no shutdown

!

!

interface ppp 1

  description ppp 1

  ip address  1.1.1.2  255.255.255.252

  access-policy Public

  media-gateway ip primary

  qos-policy out ppp1QosWizard

  no shutdown

  cross-connect 1 t1 0/1 1 ppp 1

!

!

!

ip access-list standard jiveAllow

  remark Allow list jiveAllow

  permit 4.4.4.4 0.0.3.255

  permit 4.4.4.4 0.0.3.255

!

ip access-list standard srcLAN

  permit 3.3.3.3 0.0.0.7

!

ip access-list standard voiceLAN

  permit 192.168.103.0 0.0.0.255

!

ip access-list standard wizard-ics

  remark NAT list wizard-ics

  permit any

!

!

ip access-list extended adminAccess

  permit tcp any  host 1.1.1.2 eq ssh

  permit tcp any  host 1.1.1.2 eq https

  permit icmp any  host 1.1.1.2

!

ip access-list extended lanblock

  permit ip any  any

!

ip access-list extended self

  remark Traffic to Total Access

  permit ip any  any     log

!

ip access-list extended test

  permit udp any  any range 5060 5061

!

ip access-list extended web-acl-8

  permit ip any  any

!

!

ip policy-class Private

  allow list self self

  nat source list voiceLAN interface ppp 1 overload

  allow list srcLAN

!

ip policy-class Public

  allow list jiveAllow

  allow list adminAccess self

  allow list lanblock

!

!

Anonymous
Not applicable

Re: wireshark .pcap - capture before or after firewall

Jump to solution

Noor,

To update, I am seeing seeing some of the traffic before and after on the Inbound stream, but turns out it's only some of it. In particular, I'm looking at the NAT keep alives which are SIP OPTIONs. I've got a ticket in with support. I'd like to keep this tread going but I'm not comfortable posting the packet capture which is what will make the rest of this tread interesting

But in summary, I see all of the SIP options on the outside of the firewall, the second packet you would see is after the adtran NATs. I have several phones behind the Adtran, but I only see both packets before and after when the outside port is 5060. The rest of the session negotiate and off port, for all of these off port session, you only see the packet outside of the firewall and the packet never gets NAT'd in for some reason it appears.