This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to identify traffic blocked by ACLs

0

Is there a method for determining if a particular entry(s) in a network trace are being blocked by ACLs? If so, can you help me identify where in the trace it would show the packet being rejected/blocked?

For example, we've written ACLs to prevent traffic on certain ports directed toward a particular host. In the network trace I see the client and host entries on the defined ports. But i can't tell if they are being blocked. We do see the counters on our firewall going up, so that's a good inidcating our ACL is working. But was hoping wireshark would somehow confirm the traffic is being blocked. Please let me know if I can provide a better example or further information. Appreciate the help.

asked 09 Mar '12, 04:17

sdeb's gravatar image

sdeb
6112
accept rate: 0%


One Answer:

0

<trivial mode>
In order to know if something is blocked, you would need to make a trace on both sides of the blocking device and compare the packets
</trivial mode>

If you can only capture packets on one side of the connection, then you could deduct some information about the ACL's, but you are never sure. For instance, capturing on the client side of the filtering device could show you SYN packets being sent, but no SYN/ACK coming back. This could be due to the ACL, but also due to a routing problem, the server not being up, etc.

answered 09 Mar '12, 04:37

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 09 Mar '12, 04:38