Logging packets

Packet logging

This function enables monitoring of IPv4Version 4 of the Internet Protocol. or IPv6Version 6 of the Internet Protocol. packets according to a user-defined log expression. The expression must be defined using special symbols.

Packet logging can be cancelled by removing the expression entry.


Kerio Control also offers a packet dump. The packet dump saves the wanted traffic to file which can be downloaded and opened by Wireshark. See the Creating and downloading packet dumps section.

Configuring packet logging

  1. In the administration interface, go to Logs > Debug.
  2. In the context menu, click Packet Logging.
  3. Type an expression.
  4. Click OK.

Logical Expression

Packets can be described by logical expressions following this pattern:

variable1 = value1 & variable2 = value2 | variable3 = value3


  • variable1 ... variableN are characteristic information about the packet (see below)
  • & is the logical operator and
  • | is the logical operator or

Interpretation of logical expressions

Expressions are parsed according to the priority of the individual operators: the & operator is parsed before |. If multiple conditions are connected by the same operator, the expression is parsed from left to right. If necessary, parentheses can be used to determine the priority of conditions:

variable1 = value1 & (variable2 = value2 | variable3 = value3)


The following variables can be used in logical expressions defining packets:


All IP packets are logged (the condition is always met). It would be meaningless to combine the any option with other condition(s).


Source or destination IP addressAn identifier assigned to devices connected to a TCP/IP network. of the packet.


Source IP address.


Destination IP address.

Define conditions for addr, saddr, daddr as follows:

Condition Description
= IPv4 address of the host
= subnet defined by the network IPv4 address and a corresponding subnet mask
= subnet defined by the network IPv4 address and number of bits of the corresponding subnet mask
= IPv4 range (inclusive)
= 2001:abcd:1234::1 IPv6 address of the host
= list:"name of IP group" IP address group
= user:"user1,user2,[group1],user3,[group2]" IP addresses of hosts from which the users are connected

For IPv6 protocol, you can enter only host addresses. It is not possible to specify a subnet by the prefix and its length or by an address range.


Number of source or destination port (TCPTransmission Control Protocol - ensures packet transmission. or UDPUser Datagram Protocol - ensures packet transmission.).


Source port number.


Destination port number.


Interface (in any direction).


Incoming interface.


Outgoing interface.

Allowed conditions:

Condition Description
= "interface name" Interface name used by Kerio Control
= vpnclient Any VPNVirtual private network - A network that enables users connect securely to a private network over the Internet. client
= vpn Any VPN client
= vpn:"name of VPN connection" Name of VPN connection


Packet direction:

  • = in — incoming packet
  • = out — outgoing packet


Flags in TCP header.

Options: FIN SYN RST PSH ACK URG NONE (none) ALL (all).

Any TCP packet containing specified flags (their value is 1) meet the condition. Flags not used in the specification are ignored.

Individual flags of the tcpfl variable can be marked either by the + symbol (the flag is enabled) or by the - symbol (the flag is disabled). All conditions are flagged by default unless one of these symbols is used.

Example: The tcpfl = SYN +ACK -RST expression is met by any packet flagged by SYN and ACK that has a disabled RST flag.


This logical expression defines Microsoft Networking service packets at the Internet interface:

if = "Internet" & (port >= 137 & port <= 139 | port = 445)

This expression defines packets going out through the Internet interface and directed to the WWW server with IP address at port 80 or 8080:

oif = "Internet" & daddr = & (dport = 80 | dport = 8080)

This expression defines incoming TCP packets flagged by SYN (TCP connection establishment):

direc = in & tcpfl = SYN

Creating and downloading packet dumps

  1. In the administration interface, go to Logs > Debug.
  2. In the context menu, click Packet Dump To File.
  3. Type an expression.
  4. To create the packet dump and start logging, click Start.
  5. Do you have enough information? Click Stop.
  6. Click Download and save the file to your computer.