Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Packet Capture filtering

We manage 241 firewalls via Central for our customers.  We have management from the internet locked down. When performing a packet capture in the WebUI, there is a "Display Filter" button.  If I want to filter on a specific rule, I have entered the Rule ID (8 in my current attempt) and would expect to see ONLY traffic that matches Rule ID 8. However noghting happens.  Even if I stop and restart.

How does one get this to work?  Or do I need to remote to a computer on the customer's network and use TCPDUMP?

Using the CLI from reverse proxy (Central) is terrible.  Pretty much unusable unless one feels like taking 2 seconds per keystroke else it's jumbled/out of order for every firewall I've tried over the last 7 or so years.



Added v20.0 MR2 TAG
[edited by: Erick Jan at 2:23 AM (GMT -7) on 17 Oct 2024]
  • Filter is based on the traffic, the firewall already dumped. When you start the dump above, it captures traffic (based on the BPF string). 
    Then you can filter the results like you would do it in Wireshark. 

    So: BPF String : tcpdump -OPTIONS

    Display Filter : tcpdump | grep Something

    For example: 

    Here with a applied filter: 

    __________________________________________________________________________________________________________________

  • I'm very familiar with using BPF strings.What I want to know is why, when using display filter, it shows everything, not what I'm asking for?

    In my last attempt, I wanted to see what traffic is matching rule #8.  So I enter 8 in the rule section of the display filter and it shows traffic matching every rule, not just rule 8.  

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Can you show us an example of it? 

    __________________________________________________________________________________________________________________

  • Have traffic hitting one rule group that should allow specific traffic for a bank (FDIC requires outbound be locked down). 

    Moving them from a LAN to WAN, any/any rule. I still see traffic counters incrementing on the LAN to WAN any/any rule.


    WebUI Packet capture display filter is set as such

    Packet Capture still shows traffic matching rule 23, which I am trying to exclude from the view.

    .

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Can you reproduce this on multiple firewalls? I tested now multiple firewalls and the filter works on all of them. 

    __________________________________________________________________________________________________________________

  • I've never had this work in any firewall I've ever tried it on.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Just tried on my firewall and it works. V21 EAP.  Tested on a customer firewall (v20.0.2) and it doesn't work. Exact same steps. (even same #8 firewall rule).

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner