Desktop Firewall Monitoring

Packet monitoring has two components, a user-mode utility (PacketMon.exe) and a Kernel component (implemented in VSDATANT.SYS). PacketMon must only be used for debugging purposes. Running PacketMon strongly impacts the performance of VSDATANT.

PacketMon:

  • Analyzes command-line input parameters.

  • Compiles an INSPECT assembly code.

  • Uploads the INSPECT assembly code to VSDATANT.SYS

  • Samples VSDATANT.SYS for new packet inspection data.

  • Shows packet data on the screen or redirects to a file (in SNOOP format).

  • Stops packet inspection when terminated by user.

VSDATANT:

  • Initializes input and output buffers.

  • Runs each incoming and outgoing packet through the INSPECT virtual machine.

  • Runs each accepted packet (if -d option was not specified) or each dropped packet (if -d option was specified) through the INSPECT virtual machine.

  • Copies packet data into user-mode buffers when instructed to by PacketMon.

  • De-initializes the input and output buffers and stops packet inspection when instructed to by PacketMon.

Use PacketMon.exe, to inspect traffic handled by the Desktop Firewall blade. When run without parameters, the utility captures all inbound and outbound packets. The application first analyzes and validates the input parameters.

If an error occurs, this usage message shows:

packetmon [-h] [-t] [-T] [-i] <{-e expr}+|-f <filter_file|->> [-l len] [-

m mask] [-x offset[,len]] [-o file] [-ci count] [-co count] -I -d -r

-e expr: filters packets according to the given expr regular expression

-l len: limits packet capture length to the given len bytes

-m mask: captures packets according to the given mask

mask can be combination of:

i - incoming packets (while entering the firewall)

I - incoming packets (while leaving the firewall)

o - outgoing packets (while entering the firewall)

O - outgoing packets (while leaving the firewall)

-x offset[,len]: prints packet data starting from the given offset and

for an optional number of bytes (len). offset is the offset from the

beginning of the IP header

len can be used to limit the amount of bytes printed. If omitted will

print the whole packet from the given offset to its end

-o file: write output to the given file (in snoop file format)

-ci count: captures count number of incoming packets and exits

-co count: captures count number of outgoing packets and exits

-I: shows interface numbers instead of names

-f filter_file: filters packets according to the regular expression given

in the filter_file file

-f -: filters packets according to the regular expression given in the

standard input

Ctrl-Z+<Enter> at a new line to stop stdin input

-d: shows only dropped packets

-r: prints relevant rule (if found)

-T: prints time stamp

-h: shows this help message

-i: flushes standard output

-t: do not include fwmonitor.def file automatically