Packet Capture filtering

Filter is based on the traffic, the firewall already dumped. When you start the dump above, it captures traffic (based on the BPF string). 
Then you can filter the results like you would do it in Wireshark. 

So: BPF String : tcpdump -OPTIONS

Display Filter : tcpdump | grep Something

For example: 

Here with a applied filter: 

I'm very familiar with using BPF strings.What I want to know is why, when using display filter, it shows everything, not what I'm asking for?

In my last attempt, I wanted to see what traffic is matching rule #8.  So I enter 8 in the rule section of the display filter and it shows traffic matching every rule, not just rule 8.  

I'm very familiar with using BPF strings.What I want to know is why, when using display filter, it shows everything, not what I'm asking for?

In my last attempt, I wanted to see what traffic is matching rule #8.  So I enter 8 in the rule section of the display filter and it shows traffic matching every rule, not just rule 8.  

Can you show us an example of it? 

Have traffic hitting one rule group that should allow specific traffic for a bank (FDIC requires outbound be locked down). 

Moving them from a LAN to WAN, any/any rule. I still see traffic counters incrementing on the LAN to WAN any/any rule.


WebUI Packet capture display filter is set as such

Packet Capture still shows traffic matching rule 23, which I am trying to exclude from the view.

.

Can you reproduce this on multiple firewalls? I tested now multiple firewalls and the filter works on all of them. 

I've never had this work in any firewall I've ever tried it on.

Just tried on my firewall and it works. V21 EAP.  Tested on a customer firewall (v20.0.2) and it doesn't work. Exact same steps. (even same #8 firewall rule).