Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Packet Capture filtering

We manage 241 firewalls via Central for our customers.  We have management from the internet locked down. When performing a packet capture in the WebUI, there is a "Display Filter" button.  If I want to filter on a specific rule, I have entered the Rule ID (8 in my current attempt) and would expect to see ONLY traffic that matches Rule ID 8. However noghting happens.  Even if I stop and restart.

How does one get this to work?  Or do I need to remote to a computer on the customer's network and use TCPDUMP?

Using the CLI from reverse proxy (Central) is terrible.  Pretty much unusable unless one feels like taking 2 seconds per keystroke else it's jumbled/out of order for every firewall I've tried over the last 7 or so years.



Added v20.0 MR2 TAG
[edited by: Erick Jan at 2:23 AM (GMT -7) on 17 Oct 2024]
Parents
  • Filter is based on the traffic, the firewall already dumped. When you start the dump above, it captures traffic (based on the BPF string). 
    Then you can filter the results like you would do it in Wireshark. 

    So: BPF String : tcpdump -OPTIONS

    Display Filter : tcpdump | grep Something

    For example: 

    Here with a applied filter: 

    __________________________________________________________________________________________________________________

  • I'm very familiar with using BPF strings.What I want to know is why, when using display filter, it shows everything, not what I'm asking for?

    In my last attempt, I wanted to see what traffic is matching rule #8.  So I enter 8 in the rule section of the display filter and it shows traffic matching every rule, not just rule 8.  

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Reply
  • I'm very familiar with using BPF strings.What I want to know is why, when using display filter, it shows everything, not what I'm asking for?

    In my last attempt, I wanted to see what traffic is matching rule #8.  So I enter 8 in the rule section of the display filter and it shows traffic matching every rule, not just rule 8.  

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Children