Logging packets
Packet logging
This function enables monitoring of IPv4Version 4 of the Internet Protocol. or IPv6Version 6 of the Internet Protocol. packets according to a user-defined log expression. The expression must be defined using special symbols.
Packet logging can be cancelled by removing the expression entry.
NOTE
Kerio Control also offers a packet dump. The packet dump saves the wanted traffic to file which can be downloaded and opened by Wireshark. See the Creating and downloading packet dumps section.
Configuring packet logging
- In the administration interface, go to Logs > Debug.
- In the context menu, click Packet Logging.
- Type an expression.
- Click OK.
Logical Expression
Packets can be described by logical expressions following this pattern:
variable1 = value1 & variable2 = value2 | variable3 = value3
where:
variable1 ... variableNare characteristic information about the packet (see below)&is the logical operator and|is the logical operator or
Interpretation of logical expressions
Expressions are parsed according to the priority of the individual
operators: the & operator is parsed before
|. If multiple conditions are connected by the same
operator, the expression is parsed from left to right. If necessary,
parentheses can be used to determine the priority of conditions:
variable1 = value1 & (variable2 = value2 | variable3 = value3)
Variables
The following variables can be used in logical expressions defining packets:
any
All IP packets are logged (the condition is always met). It would be meaningless to combine the any option with other condition(s).
addr/
Source or destination IP addressAn identifier assigned to devices connected to a TCP/IP network. of the packet.
saddr
Source IP address.
daddr
Destination IP address.
Define conditions for addr, saddr, daddr as follows:
| Condition | Description |
|---|---|
| = 1.2.3.4 | IPv4 address of the host |
| = 1.2.3.4/255.255.255.0 | subnet defined by the network IPv4 address and a corresponding subnet mask |
| = 1.2.3.4/24 | subnet defined by the network IPv4 address and number of bits of the corresponding subnet mask |
| = 1.2.3.4-1.2.3.10 | IPv4 range (inclusive) |
| = 2001:abcd:1234::1 | IPv6 address of the host |
| = list:"name of IP group" | IP address group |
| = user:"user1,user2,[group1],user3,[group2]" | IP addresses of hosts from which the users are connected |
For IPv6 protocol, you can enter only host addresses. It is not possible to specify a subnet by the prefix and its length or by an address range.
port
Number of source or destination port (TCPTransmission Control Protocol - ensures packet transmission. or UDPUser Datagram Protocol - ensures packet transmission.).
sport
Source port number.
dport
Destination port number.
if
Interface (in any direction).
iif
Incoming interface.
oif
Outgoing interface.
Allowed conditions:
| Condition | Description |
|---|---|
| = "interface name" | Interface name used by Kerio Control |
| = vpnclient | Any VPNVirtual private network - A network that enables users connect securely to a private network over the Internet. client |
| = vpn | Any VPN client |
| = vpn:"name of VPN connection" | Name of VPN connection |
direc
Packet direction:
- = in — incoming packet
- = out — outgoing packet
tcpfl
Flags in TCP header.
Options: FIN SYN RST PSH ACK URG NONE (none) ALL (all).
Any TCP packet containing specified flags (their value is 1) meet the condition. Flags not used in the specification are ignored.
Individual flags of the tcpfl variable can be marked either by the + symbol (the flag is enabled) or by the - symbol (the flag is disabled). All conditions are flagged by default unless one of these symbols is used.
Example: The tcpfl = SYN +ACK -RST expression is met by any packet flagged by SYN and ACK that has a disabled RST flag.
Examples
This logical expression defines Microsoft Networking service packets at the Internet interface:
if = "Internet" & (port >= 137 & port <= 139 | port = 445)
This expression defines packets going out through the Internet
interface and directed to the WWW server with IP address
123.32.45.67 at port 80 or
8080:
oif = "Internet" & daddr = 123.32.45.67 & (dport = 80 | dport = 8080)
This expression defines incoming TCP packets flagged by SYN (TCP connection establishment):
direc = in & tcpfl = SYN
Creating and downloading packet dumps
- In the administration interface, go to Logs > Debug.
- In the context menu, click Packet Dump To File.
- Type an expression.
- To create the packet dump and start logging, click Start.
- Do you have enough information? Click Stop.
- Click Download and save the file to your computer.