Packet Captures from the WebGUI¶
The WebGUI offers an easy-to-use front end to tcpdump
that performs packet
captures which can then be viewed or downloaded for deeper analysis in
Wireshark. Because of its simplicity, it can only offer a few options for
filtering desired traffic. Even with its limitations, it is sufficient for the
capturing needs of most users. If the options available in the GUI are too
limiting, skip ahead to
Examples of using tcpdump on the command line.
Getting a Packet Capture¶
To make a packet capture in the GUI, navigate to Diagnostics > Packet Capture.
Configure the options on the page as follows:
- Interface
The network interface from which packets will be captured. Each assigned interface on the firewall will appear in the list, along with one entry for IPsec, and individual entries for each OpenVPN client and server.
- Enable Promiscuous Mode
When checked, a capture will include all traffic arriving on the NIC for any destination MAC Address. Without promiscuous mode, only traffic destined for the host or broadcast will be captured. Certain NICs do not handle promiscuous mode well, so this is unchecked by default.
- Address Family
Limits the capture to only IPv4 or only IPv6 traffic. This is useful when not filtering by IP address.
- Protocol
Lists common protocols such as TCP, UDP, ICMP, ICMP6, CARP and others, and an exclusion option for each. To limit the capture to one of these protocols, select it from the list. To exclude one of the protocols, choose the option for the protocol prefixed with Exclude. The GUI will reject an attempt to submit an invalid combination (e.g.IPv4 only and ICMP6).
- Host Address
Filters traffic going to or from a specific host or CIDR-masked subnet. Leave the field blank to capture traffic to and from any host. Some logic is possible using this field:
- Exclusions
Prefix an address with
!
to exclude it from the capture- Boolean AND
Join two addresses with a comma (
,
) to capture traffic between only the specified hosts (e.g.x.x.x.x,y.y.y.y
)- Boolean OR
Join two or more hosts with a pipe (
|
) to capture traffic to or from any of the specified hosts. (e.g.x.x.x.x|y.y.y.y|z.z.z.z
)
- Port
Fill in a port number to limit the capture to only TCP or UDP matching the specified port as a source or destination port.
- Packet Length
Sets the size of the packet itself to capture. Usually the full packet is best (
0
), but for captures run over longer periods of time where the headers matter more than the payload of the packets, limiting this to64
bytes or so will result in a much smaller capture file that may still have adequate data for troubleshooting purposes.- Count
Determines how many packets to capture before stopping. If the capture is not limited in any way, bear in mind that this may be “noisy” and this value might need to increase significantly past the default of
100
, such as1000
or10000
.- Level of Detail
Selects the amount of detail to display in the GUI when viewing a capture. It does not change the level of detail in the capture file itself. This value can be changed afterward, click
View Capture to display the capture with the new detail level.
- Reverse DNS Lookup
Causes a reverse DNS lookup to be performed on hosts included in the packet capture. We do not recommend using this option as it will delay the output due to the extra time taken by reverse DNS lookups. Also it is easier to troubleshoot when viewing IP addresses instead of hostnames, and reverse DNS can sometimes be inaccurate.
Click Start to begin capturing packets. The page will
display “Packet Capture is running” across the bottom, indicating the capture is
in process.
Click Stop to manually end the capture and view the output.
If a maximum packet count was specified for the capture, it will stop
automatically when that count is reached.
Viewing the Captured Data¶
The capture output can be viewed in the WebGUI, or downloaded for later viewing in a program such as Wireshark. For more detail on using Wireshark to view a capture file, see Viewing Packet Capture File later in this chapter.
When the packet capture page is loaded after a capture has been completed, a
View Capture button is presented that will display the
packets from the last capture run. Select the Level of Detail option before
clicking this button to adjust the contents of the display.
Click Download Capture to download this file for later
viewing.
The output shown in the Packets Captured frame is in standard tcpdump
style.