Selecting the Proper Interface¶

To perform a packet capture, first determine the location from which to take the capture. A packet capture looks different depending upon the chosen interface and in certain scenarios it is better to capture on one specific interface, and in others, running multiple simultaneous captures on different interfaces is preferable.

Using tcpdump at the command line requires the “real” interface names that go with the friendly names shown in the firewall GUI. Visit Interfaces > Assignments and make a note of which OS interfaces (e.g. igb1), correspond with the friendly interfaces names on the firewall (e.g. WAN). Real Interfaces vs. Friendly Names lists common additional unassigned interface names that are present in many firewalls, depending on their configuration.

Real Interfaces vs. Friendly Names¶
Real/Physical Name	Friendly Name
`enc0`, `ipsecX`	IPsec, encrypted traffic
`ovpncX`, `ovpnsX`	OpenVPN, encrypted traffic (Clients, Servers)
`pppoeX`, `poesX`	PPPoE WAN, PPPoE Server
`l2tpX`, `l2tpsX`	L2TP WAN, L2TP Server
`lo0`	Loopback Interface
`pfsync0`	pfsync interface – used internally
`pflog0`	pf logging – used internally

When selecting an interface, start with where the traffic flows into the firewall. For example, if a user is having trouble connecting to a port forward from outside the network, start with the WAN interface since that is where the traffic originates. If a client PC cannot reach the Internet, start with the LAN interface. When in doubt, try multiple interfaces and filter for the IP addresses or ports in question, keeping in mind when NAT will be applied.