Meaning of numbers on Watchguard Traffic Monitor

traffic

When looking at Traffic Monitor, you will see columns of numbers. However not all of them are apparent on what they are for. Unfortunately I don't have enough reputation to post images but I'll try to explain what I'm looking at.

Can someone let me know the following. Thanks.
1) What are the numbers on Column 7, 12, and 13?
2) What's the difference between what's shown on columns 6 and 8?

Column  Description
1   Date
2   Time
3   Shows "Allowed", Deny", etc
4   Source IP
5   Destination IP the Source IP is trying to target (ie Firebox's external IP for incoming traffic)
6   Protocol (Port name and sometimes Port number is shown also)
7   Unknown
8   Protocol (Port number but not sure difference from column 5 above)
9   Network from which Source IP originates from
10  Network to which Destination IP is at
11  Shows "Allowed", "blocked ports", etc
12  Unknown
13  Unknown
14  Policy name

Best Answer

Guys I found the answer! On Firebox System Manager (the one where you use to look at Traffic Monitor), click on File -> Settings. Check the "Show Log Field Names" box and click OK. Here are the answers:

Date
Time
Permission (ie Allow, Deny, etc)
src_ip
dst_ip
pr (ie the looked up protocol such as ntp/udp, 8080/udp, 6699/udp, netbios-ns/udp, dns/udp, etc)
src_port
dst_port
src_intf
dst_intf
msg
pckt_len
ttl
policy (ie the policy you figured in the Policy Manager or an internal firebox policy)
proxy_action (I'm not seeing anything here but there's actually a column for this)
proc_id (Mine are showing "firewall")
rc (no idea what this is)
src_ip_nat
src_port_nat

Related Solutions

How to filter http traffic in Wireshark

Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of:

icmp

and a display filter of:

icmp.type == 8 || icmp.type == 0

For HTTP, you can use a capture filter of:

tcp port 80

or a display filter of:

tcp.port == 80

or:

http

Note that a filter of http is not equivalent to the other two, which will include handshake and termination packets.

If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. For example, to capture only packets sent to port 80, use:

dst tcp port 80

Couple that with an http display filter, or use:

tcp.dstport == 80 && http

For more on capture filters, read "Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. For display filters, try the display filters page on the Wireshark wiki. The "Filter Expression" dialog box can help you build display filters.

Internet Traffic – Best Way to Monitor for Entire Office

I would recommend against using wireshark to monitor traffic. You'll just get too much data, but you have a hard time analyzing the data. If you need to look at/troubleshoot the interaction between a couple machines, wireshark is great. As a monitoring tool, IMHO, wireshark is not quite the tool you need.

Profile the network traffic. Try out some actual monitoring tools: http://sectools.org/traffic-monitors.html. You're looking for Top Type of traffic (likely HTTP, but who knows), Top Talkers (should be your servers, but who knows), and potentially Malformed Traffic (large amount of TCP retransmissions, malformed packets, high rates of very small packets. Probably won't see, but who knows)
At the same time, work with your management to develop a network resource usage policy. In general, business terms, what business needs does the computer network exist to meet, and what are appropriate uses of the resource. This thing is costing money, so there has to be a business justification for its very existence. Your company has policies for handling the "petty cash" drawer, and I would bet your network infrastructure costs a lot more that. The key thing to focus on is not catching people doing bad things but rather watching for potential malicious activity that is degrading network functionality (i.e., the employees' ability to get their work done). Southern Fried Security Podcast and PaulDotCom Security Weekly cover information about creating appropriate security policies.
@John_Rabotnik idea for a proxy server was great. Implement a proxy server for web traffic. Compared to traditional firewalls, proxy servers give you much better visibility into what is going on as well as more granular control over what traffic to allow (for example, real web sites) and what traffic to block (URLs made up of [20 random characters].com)
Let people know - the network is having a problem. You are monitoring the network traffic. Give them a mechanism to register network slowdowns, and capture enough meta-data about the report so that in aggregate, you might be able to analyze network performance. Communicate with your coworkers. They want you to do a good job so that they can do a good job. You are on the same team.
As a general rule, block everything, and then allow what should be allowed. Your monitoring from step one should let you know what needs to be allowed, as filtered through your network usage/security policy. Your policy should also include a mechanism by which a manager can request new kinds of access be granted.

In summary, step one, the traffic monitoring (Nagios seems to be a standard tool) helps you figure out, in general, what is going on to stop the immediate pain. Steps 2 - 5 help prevent the problem in the future.

Best Answer

Related Solutions

How to filter http traffic in Wireshark

Internet Traffic – Best Way to Monitor for Entire Office

Related Topic