Selecting the Proper Interface

To perform a packet capture, first determine the location from which the capture must be taken. A packet capture will look different depending upon the chosen interface and in certain scenarios it is better to capture on one specific interface, and in others, running multiple simultaneous captures on different interfaces is preferable.

To use tcpdump at the command line, the “real” interface names that go with the friendly names shown in the WebGUI must be known. Visit Interfaces > (assign) and make a note of which physical interfaces (e.g. igb1), correspond with the friendly interfaces names on the firewall (e.g. WAN). Real Interfaces vs. Friendly Names lists common additional unassigned interface names that are present in many firewalls, depending on their configuration.

Real Interfaces vs. Friendly Names

Real/Physical Name

Friendly Name

enc0

IPsec, encrypted traffic

ovpnc0 … ovpnc<x>, ovpns0 … ovpns<x>

OpenVPN, encrypted traffic (Clients, Servers)

pppoe0 … pppoe<x>, poes0 … poes<x>

PPPoE WAN, PPPoE Server

l2tp0 … l2tp<x>, l2tps0 … l2tps<x>

L2TP WAN, L2TP Server

lo0

Loopback Interface

pfsync0

pfsync interface – used internally

pflog0

pf logging – used internally

When selecting an interface, start with where the traffic flows into the firewall. For example, if a user is having trouble connecting to a port forward from outside the network, start with the WAN interface since that is where the traffic originates. If a client PC cannot reach the Internet, start with the LAN interface. When in doubt, try multiple interfaces and filter for the IP addresses or ports in question, keeping in mind when NAT will be applied.