19.7. IPFLOW Tracer

IPFLOW is a service used to trace IP packets flow inside IPRTR resource. Using a detailed filter is possible to trace only required IP packets starting from incoming interface to outgoing interface or internal upper layers.

Each IP packet makes a list of several steps inside IPRTR (not all steps are made by all packets, this could depend by configuration and by packet type):

PACKET IN

packet is received from an IP resource interface;

IPACL CHECK

packet is analyzed by IPACL service;

IPSEC DECODE

packet received in IPSEC format is decoded from ciphered to plain format;

NAT

packet is translated by NAT rules.

INTERNAL DESTINATION

packet is forwarded to internal upper layers.

EXTERNAL DESTINATION

packet is going to be routed to an outgoing IP resource interface.

IPSEC ENCODE

packet is ciphered into IPSEC format.

PACKET OUT

packet is sent to an outgoing IP resource interface.

For each step, IPFLOW displays some information related to IP packet and some others related to step itself. For example, during PACKET IN step we can have:

Packet IN:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  SIP:4   SRC-MAC:00-1E-8C-D5-5E-16 DST-MAC:00-0C-42-07-47-97 DST-MAC-TYPE:U

In the previous example we can see 2 rows. First row is related to IP packet and contain information about its fields, like source IP address (SA), destination IP address (DA), IP protocol (PROT), source and destination protocol port (SPO and DPO, shown only for TCP/UDP protocols) and packet length (LEN). This row can be present for each step if current values differ from information printed on previous step.

Second row contains information related only to Packet IN step like source IP interface (SIP), source MAC address (SRC-MAC), destination MAC address (DST-MAC), destination MAC type (DST-MAC-TYPE). Each step contain specific information related to its purpose.

19.7.1. List of commands

To see all the commands present for IPFLOW tracer service is possible to use the command ipflow ?; the IPFLOW tracer to be used needs to be activated first, and then started.

[18:48:37] ABILIS_CPX:ipflow ?

ACT            Activate trace
DISPLAY        Ipflow display operations
FILTER         Packet filtering rules
INACT          Deactivate trace
PARAM          Trace parameters operations
START          Start trace
STOP           Stop trace

19.7.2. Activating the IPFLOW tracer

IPFLOW tracer must be activated before being used. The activation command allows abilis system to allocate memory required to store packet traced. During activation of this service is possible to specify maximum number of IP packets that can be stored (SIZE) and the possibiliy to use a circular list of IP packets (RECIRCLE). We can see the ranges of activation parameters using ipflow act ? command.

[18:48:42] ABILIS_CPX:ipflow act ?

IPFLOW ACT [par:val]          Activate trace


Trace parameter(s):

SIZE:      Tracer packet number [100..10000]                        <Optional>
RECIRCLE:  Tracer can recirculate [NO, YES]                         <Optional>
[Caution]Caution

When activating IPFLOW tracer, is possibile that abilis system doesn't have enough memory to allocate required buffer. In this case, will be printed a COMMAND FAILURE message. See below:

[16:00:40] ABILIS_CPX:ipflow act size:10000

COMMAND FAILURE

IPFLOW tracer cannot be activated if it was already activated previously. If IPFLOW needs to be re-activated (e.g. in case that SIZE or RECIRCLE value must be changed), it must be deactivated first. This is what happen when IPFLOW is activated twice before deactivating it.

[16:00:50] ABILIS_CPX:ipflow act size:5000 recircle:no

IPFLOW TRACER ALREADY ACTIVE

Setting recircle to NO will make IPFLOW service to trace only first SIZE packets. Once that limit is reached, no more packets will be traced until tracer is stopped and started again. If recircle is set to YES, once reached SIZE packets number during tracing, the olders packet will be removed to allow tracing of the new one.

During activation command, in case that parameters are set with an invalid value, a specific error message code will be printed about. For example:

[16:13:29] ABILIS_CPX:ipflow act size:99999999

BAD VALUE 'SIZE:99999999'

19.7.3. Deactivating the IPFLOW tracer

When IPFLOW is not more used, it can be deactivated in order to deallocate memory that could be useful for other run-time services present into abilis system (like TRACE for example).

[18:49:27] ABILIS_CPX:ipflow inact ?

IPFLOW INACT                  Deactivate trace

To deactivate IPFLOW tracer, ipflow inact command is used.

[16:35:25] ABILIS_CPX:ipflow inact

COMMAND EXECUTED
[Caution]Caution

Once IPFLOW is no more active, all the IP packets traced previously will be lost.

There are some situation where IPFLOW cannot be deactivated. This could happen in case that IPFLOW wasn't activated before, or in case that IPFLOW is started but not stopped yet. In this case some related error message will be printed.

[16:31:04] ABILIS_CPX:ipflow inact

IPFLOW TRACER NOT ACTIVE

[16:31:13] ABILIS_CPX:ipflow inact

IPFLOW TRACER NOT STOPPED

19.7.4. Starting the IPFLOW tracer

Once IPFLOW tracer is activated, it must be started to make packet trace.

[18:59:27] ABILIS_CPX:ipflow start ?

IPFLOW START                  Start trace

To start IPFLOW tracer, ipflow start command is used.

[19:35:25] ABILIS_CPX:ipflow start

COMMAND EXECUTED

When IPFLOW is started, all the packet that matches with specified filtering parameters will be traced and stored into tracer list. Up to SIZE packets can be store at the same time.

There are some situation where IPFLOW cannot be started. This could happen in case that IPFLOW wasn't activated before, or in case that IPFLOW is already started but not stopped yet. In this case some related error message will be printed.

[16:31:04] ABILIS_CPX:ipflow start

IPFLOW TRACER NOT ACTIVE

[16:31:13] ABILIS_CPX:ipflow start

IPFLOW TRACER ALREADY STARTED

Everytime trace is started, all the previous counters and IP packets traced will be automatically erased.

19.7.5. Stopping the IPFLOW tracer

Once IPFLOW has traced what we need, it can be stopped by the specific stop command.

[18:49:27] ABILIS_CPX:ipflow stop ?

IPFLOW STOP                   Stop trace

To stop IPFLOW tracer, ipflow stop command is used.

[16:35:25] ABILIS_CPX:ipflow stop

COMMAND EXECUTED

When IPFLOW is stopped, no other packets will be analyzed and traced (in case that they matches with filter configured).

There are some situation where IPFLOW cannot be stopped. This could happen in case that IPFLOW wasn't activated and started before. In this case some related error message will be printed.

[17:51:53] ABILIS_CPX:ipflow stop

IPFLOW TRACER NOT ACTIVE

[17:51:59] ABILIS_CPX:ipflow stop

IPFLOW TRACER NOT STARTED

19.7.6. Display of IPFLOW parameters

Is possible to see IPFLOW parameters currently configured and tracing status.

[18:25:20] ABILIS_CPX:ipflow param ?

IPFLOW PARAM                  Display trace parameters

To display IPFLOW tracer parameters and status, ipflow param command is used.

[18:27:39] ABILIS_CPX:ipflow param

Parameter  Value                  Description
-------------------------------------------------------------------------------
SIZE:      10000                  Tracer packets number
RECIRCLE:  YES                    Tracer packet recirculation
STATUS:    INACTIVE               Current status of ipflow trace
ANALYZED:  0                      Number of packets analyzed
CAPTURED:  0                      Number of packets currently traced

SIZE and RECIRCLE fields contain values previously set during ipflow act command. In case that ipflow act is executed without specifying them, value used will be that indicated by ipflow param command.

Status field indicates the IPFLOW tracing state. It can have several values:

INACTIVE

tracer is not activated yet. No resources are currently allocated;

ACTIVE

tracer is activated but not started yet. Resources are currently allocated but tracing is not performed;

RUNNING

tracer is activated and started. All IP packets that matches filtering rules are stored into tracer list;

ANALYZED and CAPTURED fields can increase their number only during RUNNING status. ANALYZED field indicates all the IP packets being analyzed by IPFLOW that could be tracer or not depending on filtering options. CAPTURED contains only all that IP packets that after being analyzed by IPFLOW, they matched with filtering rules and then were stored into tracer list. These fields are initialized everytime that IPFLOW tracer is started.

19.7.7. Setting IP packet filter

When IPFLOW is started, packet are traced following specific rules that can be configured with the following commands:

[18:49:02] ABILIS_CPX:ipflow filter ?

IPFLOW FILTER [DISPLAY [ID:val]]                  Display trace filter(s)
IPFLOW FILTER ADD ID:val [par:val]                Add new trace filter
IPFLOW FILTER CLEAR ID:val [par:val]              Clear existing trace filter
IPFLOW FILTER USED                                Display used trace filters
IPFLOW FILTER SET ID:val par:val [par:val]        Set trace filter parameters

ID:        Ipflow filter identifier [0..31]                          <Optional>

Ipflow filter parameter(s):

SNET:      Source Ip Network Range:                                  <Optional>
           a single Ip address [0.0.0.1-255.255.255.255] or subnet [x.x.x.x/y]
           or Ip addresses range separated by ':' (colon) or  or the name of
           an IP/IR/RU/MR list between primes or "*" (any Ip address)
DNET:      Destination Ip Network Range:                             <Optional>
           a single Ip address [0.0.0.1-255.255.255.255] or subnet [x.x.x.x/y]
           or Ip addresses range separated by ':' (colon) or  or the name of
           an IP/IR/RU/MR list between primes or "*" (any Ip address)
NET:       Source OR Destination Ip Network Range:                   <Optional>
           a single Ip address [0.0.0.1-255.255.255.255] or subnet [x.x.x.x/y]
           or Ip addresses range separated by ':' (colon) or  or the name of
           an IP/IR/RU/MR list between primes or "*" (any Ip address)
PROT:      Internet Protocol:                                        <Optional>
           Internet protocol mnemonic or decimal value [0..255] or "*" (Any
           Internet protocol) or the name of an IPT/RU/MR list between primes.
           (E.g.: icmp or 1 or * or 'List)
SPO:       Source Ports Range:                      <Optional for PROT:TCP/UDP>
           a single port mnemonic or decimal value [0..65535] or a port range
           values separated by ':' (colon) or "*" (any port) or the name of a
           TUP/RU/MR list between primes. (E.g.: 23 or SSH or 1:1200 or 'List')
DPO:       Destination Ports Range:                 <Optional for PROT:TCP/UDP>
           a single port mnemonic or decimal value [0..65535] or a port range
           values separated by ':' (colon) or "*" (any port) or the name of a
           TUP/RU/MR list between primes. (E.g.: 23 or SSH or 1:1200 or 'List')
PO:        Source or Destination Ports Range:       <Optional for PROT:TCP/UDP>
           a single port mnemonic or decimal value [0..65535] or a port range
           values separated by ':' (colon) or "*" (any port) or the name of a
           TUP/RU/MR list between primes. (E.g.: 23 or SSH or 1:1200 or 'List')
SIP:       Source Ip resource [1..250, INT, *]                       <Optional>

Up to 32 filters can be set using a fixed identifier. Each filter record can be added, removed and set in every tracing moment, but the values really used by IPFLOW will be during the execution of ipflow start command. In fact, we can distinguish between 2 different display commands:

IPFLOW FILTER [DISPLAY]

all filters present will be loaded and used by IPFLOW after ipflow start command;

IPFLOW FILTER USED

filter displayed in this command are exactly filters used during tracing phase (RUNNING state);

Using ipflow filter used command when IPFLOW is not in running state will display empty information:

[11:59:00] ABILIS_CPX:ipflow filter display

-------------------------------------------------------------------------------
ID: SNET:/NET:                            DNET:
    SIP:                                  PROT:
    SPO:/PO:                              DPO:
-------------------------------------------------------------------------------
0   192.168.000.005                       192.168.000.200
    4                                     tcp
    telnet(23)
-------------------------------------------------------------------------------

[11:59:35] ABILIS_CPX:ipflow filter used

-------------------------------------------------------------------------------
ID: SNET:/NET:                            DNET:
    SIP:                                  PROT:
    SPO:/PO:                              DPO:
-------------------------------------------------------------------------------
                            *** NO USED FILTERS ***

If ipflow filter used command is executed during running state, will be shown filters currently in use by IPFLOW:

[12:06:20] ABILIS_CPX:ipflow filter display

-------------------------------------------------------------------------------
ID: SNET:/NET:                            DNET:
    SIP:                                  PROT:
    SPO:/PO:                              DPO:
-------------------------------------------------------------------------------
0   192.168.000.005                       192.168.000.200
    4                                     tcp
    telnet(23)
-------------------------------------------------------------------------------

[12:06:24] ABILIS_CPX:ipflow filter used

-------------------------------------------------------------------------------
ID: SNET:/NET:                            DNET:
    SIP:                                  PROT:
    SPO:/PO:                              DPO:
-------------------------------------------------------------------------------
0   192.168.000.005                       192.168.000.200
    4                                     tcp
    telnet(23)
-------------------------------------------------------------------------------

In order to reset ipflow filter used display, user must be execute ipflow inact command.

19.7.8. IPFLOW trace display

To display what IPFLOW has traced, ipflow display command is used. For example:

--------------------------------------------------------------------------------
REC: 1
Packet IN:
  SA:192.168.000.200 DA:192.168.000.005 PROT:tcp  SPO:23     DPO:2768  LEN:552
  SIP:INTERNAL
NAT:
  IncomingSide:OUTSIDE
  DstRC:NONE
  SrcRC:NONE
External destination:
  DIP:4   DST-GW:DIRECT
Packet OUT:
  DIP:4   SRC-MAC:00-00-00-00-00-00 DST-MAC:00-00-00-00-00-00
  DST-GW:192.168.000.005
Main return Code: GOOD
--------------------------------------------------------------------------------
REC: 2
Packet IN:
  SA:192.168.000.200 DA:192.168.000.005 PROT:tcp  SPO:23     DPO:2768  LEN:552
  SIP:INTERNAL
NAT:
  IncomingSide:OUTSIDE
  DstRC:NONE
  SrcRC:NONE
External destination:
  DIP:4   DST-GW:DIRECT
Packet OUT:
  DIP:4   SRC-MAC:00-00-00-00-00-00 DST-MAC:00-00-00-00-00-00
  DST-GW:192.168.000.005
Main return Code: GOOD
--------------------------------------------------------------------------------
REC: 3
Packet IN:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  SIP:4   SRC-MAC:00-1E-8C-D5-5E-16 DST-MAC:00-0C-42-07-47-97 DST-MAC-TYPE:U
NAT:
  IncomingSide:OUTSIDE
  DstRC:NONE
  SrcRC:NONE
Internal destination:
  Packet forwarded to internal tcp upper layer
Main return Code: GOOD (TCP)

Display command can be executed only if IPFLOW has been activated.

[12:43:40] ABILIS_CPX:ipflow display

IPFLOW TRACER NOT ACTIVE

IPFLOW Display usually is made after ipflow stop command, but it can be done also during running state.

[Caution]Caution

During display command on running state, ABILIS system can generate IP packets by its own (commonly TELNET/SSH packet if user is connected remotely by such protocols). If these packets match with IPFLOW filter, we'll have that IPFLOW trace its own packets generated. In such situation, ipflow display command will terminate with a "IPFLOW TRACER BUFFER UNDERRUN" message.

Each IP packet record stored has the complete flow of packet inside IPRTR. As written previously, there are several steps that a packet can follow. Here we have them in detail.

19.7.8.1. BASIC INFORMATION

STEP XXX:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40

For each step of the record (e.g. PACKET IN, IPACL, NAT...) there are present some information about IP packet. These information are displayed in a single row. If packet information is the same of previous step (data is still unchanged) this information will be omitted. Usually IP packet information can change during IPSEC or NAT steps. Basic IP packet information indicates:

SA

Source IP address;

DA

Destination IP address;

PROT

IP carried protocol;

SPO

Source port of carried protocol (TCP or UDP);

DPO

Destination port of carried protocol (TCP or UDP);

ID

Identifier of carried protocol (ICMP);

LEN

IP packet length;

19.7.8.2. PACKET IN

Packet IN:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  SIP:4   SRC-MAC:00-1E-8C-D5-5E-16 DST-MAC:00-0C-42-07-47-97 DST-MAC-TYPE:U

Second row contains these information:

SIP

Source IP resource. It is the IP resource where packet come from. It can have several values indicating incoming interface or INTERNAL in case that packet has been generated internally by ABILIS system;

SRC-MAC

This is the source MAC address of the sender of the packet. MAC address is related to ETHERNET layer;

DST-MAC

This is the destination MAC address of the receiver of the packet. MAC address is related to ETHERNET layer (in this step the receiver MAC address will be the one present on the ABILIS ethernet card);

DST-MAC-TYPE

MAC destination type of the packet received. This information is detected by lower layer and can indicate 3 different types;

U

Unicast: packet: is for a single receiver;

B

Broadcast: packet: is for all the receivers present on that specific network;

M

Multicast: packet: is for selective receivers present on that specific network;

19.7.8.3. IPACL CHECK

IPACL check:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  IPACL ID:1         IPCOS:NORMAL  CRDIR:ENCRYPT CRKEY:DFT
[Caution]Caution

First description row about IP packet fields will be hidden in case that all the fields will be the same of previous step.

Second row contains these information:

IPACL

Contain the number of IPACL matched by IP packet. In case of no match, there will be printed NO-MATCH and all the following fields will be omitted;

IPCOS

Class of service (priority) applied to IP packet. It can be:

HIGH

High priority, packet will be threated with the highest priority;

NORMAL

Normal priority, packet will be threated with middle priority;

LOW

Low priority, packet will be threated with the lowest priority;

CRDIR

Ciphering mode. This information can have 3 different types;

NONE

IP Packet format is not changed;

ENCRYPT

IP Packet is ciphered;

DECRYPT

IP packet is deciphered;

CRKEY

This field is present only in case that CRDIR is set as ENCRYPT/DECRYPT. It contains the CRKEY used for ciphering algorithm;

19.7.8.4. IPSEC DECODE

IPSEC decode:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  RetCode:GOOD     Tunnel:YES  NatSide:INSIDE  IntDst:YES
[Caution]Caution

First description row about IP packet fields will be hidden in case that all the fields will be the same of previous step.

Second row contains these information:

RetCode

Contain the result of the IPSEC management of the IP packet. It can have several results:

GOOD

IP packet has been correctly managed by IPSEC service;

REASS

IP packet is only a fragment of a bigger packet. It needs to be reassembled before being managed by IPSEC service;

BYPASSED

IP packet has been analyzed and bypassed. No additional IPSEC operations were done to packet;

DROPPED

IP packet has been analyzed and discarded. Due to IPSEC rules, IP packet cannot be forwarded;

Tunnel

Indicates if packet decoded is taken from an IPSEC tunnel;

NatSide

Upon decoding an IP packet from tunnel, it can have different side types:

NONE

Tunnel hasn't a NAT side;

INSIDE

Tunnel has an INSIDE side;

OUTSIDE

Tunnel has an OUTSIDE side;

VPN

Tunnel has a VPN side;

DMZ

Tunnel has a DMZ side;

NP

Side not present. This situation happens when IPSEC return code is not good;

IntDst

This is simply a flag indicating if packet decoded by IPSEC will have ABILIS system as final destination;

19.7.8.5. NAT

NAT:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  IncomingSide:OUTSIDE
  DstRC:GOOD      OutgoingIPRes:IP-4     OutgoingSide:INSIDE  Added:YES
  SrcRC:GOOD      OutgoingIPRes:IP-4     OutgoingSide:INSIDE  Added:YES
  IPSecOutgoingSide:INSIDE
[Caution]Caution

First description row about IP packet fields will be hidden in case that all the fields will be the same of previous step.

Second and next rows contain these information:

IncomingSide

Contains the NAT side of the interface where IP packet comes from. It can be:

NONE

Packet comes from a NONE NAT side;

INSIDE

Packet comes from an INSIDE NAT side;

OUTSIDE

Packet comes from an OUTSIDE NAT side;

VPN

Packet comes from a VPN NAT side;

DMZ

Packet comes from a DMZ NAT side;

DstRC/SrcRC

Contain the return code of the NAT processing phase to IP packet (processes are separated between source and destination):

GOOD

Packet has been translated;

INACT

NAT service is not active;

NONE

Packet is not translated;

TCPRESET

TCP session cannot be opened, a RESET message will be sent to the originator of the TCP packet;

CHKSUMERR

Packet received has a bad checksum and it will be discarded;

This field will be hidden in case that DstRC/SrcRC are set to NONE.

OutgoingIPRes

Destination IP resource. It is the IP resource where packet is going to be sent.

OutgoingSide

Contain the NAT side of the interface where IP packet is going to be sent. It can be:

INSIDE

Packet is going to an INSIDE NAT side;

OUTSIDE

Packet is going to an OUTSIDE NAT side;

VPN

Packet is going to a VPN NAT side;

DMZ

Packet is going to a DMZ NAT side;

This field will be hidden in case that DstRC/SrcRC are set to NONE.

Added

Indicates that current IP packet has made NAT to add a translation rule into its dynamic table (this value is present only in case that translation is created. In all other situation this field will be hidden);

IPSecOutgoingSide

Is possible that a packet could be encoded by IPSEC into a tunnel In case of IPSEC tunnel, it can have following values:

NONE

Tunnel hasn't a NAT side;

INSIDE

Tunnel has an INSIDE side;

OUTSIDE

Tunnel has an OUTSIDE side;

VPN

Tunnel has an VPN side;

DMZ

Tunnel has an DMZ side;

NP

Side not present. This situation happens when IPSEC return code is not good;

19.7.8.6. INTERNAL DESTINATION

Internal destination:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  Packet forwarded to internal tcp upper layer
[Caution]Caution

First description row about IP packet fields will be hidden in case that all the fields will be the same of previous step.

This step hasn't additional information to show. Only a single descriptive row is present to indicate that IP packet destination is ABILIS itself, indicating which IP protocol will manage it.

19.7.8.7. EXTERNAL DESTINATION

External destination:
  SA:192.168.000.005 DA:192.168.010.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  DIP:3  DST_GW:192.168.10.001
  LoadBalance:1
[Caution]Caution

First description row about IP packet fields will be hidden in case that all the fields will be the same of previous step.

Second and next rows contain these information:

DIP

Destination IP resource. It is the IP resource where packet is sent.

DST-GW

This indicated which is the IP gateway where IP packet will be forwarded. If the receiver host is directly on the same network and there is no need of a gateway, will be printed DIRECT instead;

LoadBalance

In case of load-balancing, this will indicate which is the pool of IP resources where IP packet could be sent. In case of no load-balancing detected, this row will be missing;

19.7.8.8. IPSEC ENCODE

IPSEC encode:
  SA:192.168.000.005 DA:192.168.000.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  RetCode:GOOD     Tunnel:YES  NatSide:OUTSIDE
[Caution]Caution

First description row about IP packet fields will be hidden in case that all the fields will be the same of previous step.

Second row contains these information:

RetCode

Contain the result of the IPSEC management of the IP packet. It can have several results:

GOOD

IP packet has been correctly managed by IPSEC service;

REASS

IP packet is only a fragment of a bigger packet. It needs to be reassembled before being managed by IPSEC service;

BYPASSED

IP packet has been analyzed and bypassed. No additional IPSEC operations were done to packet;

DROPPED

IP packet has been analyzed and discarded. Due to IPSEC rules, IP packet cannot be forwarded;

Tunnel

Indicates that packet encoded will go into an IPSEC tunnel;

NatSide

Upon encoding an IP packet for IPSEC tunnel, it can have different side types:

NONE

Tunnel hasn't a NAT side;

INSIDE

Tunnel has an INSIDE side;

OUTSIDE

Tunnel has an OUTSIDE side;

VPN

Tunnel has a VPN side;

DMZ

Tunnel has a DMZ side;

NP

Side not present. This situation happens when IPSEC encoding return code is not good;

19.7.8.9. PACKET OUT

Packet OUT:
  SA:192.168.000.005 DA:192.168.010.200 PROT:tcp  SPO:2768   DPO:23    LEN:40
  DIP:1   SRC-MAC:00-00-00-00-00-00 DST-MAC:00-00-00-00-00-00
  DST-GW:192.168.10.001
[Caution]Caution

First description row about IP packet fields will be hidden in case that all the fields will be the same of previous step.

Second and next rows contain these information:

DIP

Destination IP resource. It is the IP resource where packet is sent.

SRC-MAC

This is the source MAC address of the sender of the packet. MAC address is related to ETHERNET layer (in this step the sender MAC address will be the one generated by ABILIS. Usually it will be 00-00-00-00-00-00 except for specific protocol usage, e.g. like DHCP);

DST-MAC

This is the destination MAC address of the receiver of the packet. MAC address is related to ETHERNET layer (in this step the receiver MAC address will be the one present on the outgoing interface network. Usually it will be 00-00-00-00-00-00 except for specific protocol usage, e.g. like DHCP);