Packet trace – SonicWALL Internet Security Appliances User Manual

Web Management Tools Page 123

Packet Trace

The Packet Trace tool tracks the status of a communications stream as it moves from source to
destination. This is a useful tool to determine if a communications stream is being stopped at the
SonicWALL, or is lost on the Internet.
To interpret this tool, it is necessary to understand the three-way handshake that occurs for every
TCP connection. The following displays a typical three-way handshake initiated by a host on the
SonicWALL LAN to a remote host on the WAN.
1. TCP received on LAN [SYN]

From 192.168.168.158 / 1282 (00:a0:4b:05:96:4a)

To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)

The SonicWALL receives SYN from LAN client.
2. TCP sent on WAN [SYN]

From 207.88.211.116 / 1937 (00:40:10:0c:01:4e)

To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)

The SonicWALL forwards SYN from LAN client to remote host.
3. TCP received on WAN [SYN,ACK]

From 204.71.200.74 / 80 (02:00:cf:58:d3:6a)

To 207.88.211.116 / 1937 (00:40:10:0c:01:4e)

The SonicWALL receives SYN,ACK from remote host.
4. TCP sent on LAN [SYN,ACK]

From 204.71.200.74 / 80 (02:00:cf:58:d3:6a)

To 192.168.168.158 / 1282 (00:a0:4b:05:96:4a)

The SonicWALL forwards SYN,ACK to LAN client.
5. TCP received on LAN [ACK]

From 192.168.168.158 / 1282 (00:a0:4b:05:96:4a)

To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)

Client sends a final ACK, and waits for start of data transfer.
6. TCP sent on WAN [ACK]

From 207.88.211.116 / 1937 (00:40:10:0c:01:4e

To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)

The SonicWALL forwards the client ACK to the remote host and waits for the data transfer to begin.
When using packet traces to isolate network connectivity problems, look for the location where the
three-way handshake is breaking down. This helps to determine if the problem resides with the
SonicWALL configuration, or if there is a problem on the Internet.