Packet Captures from the WebGUI

The WebGUI offers an easy-to-use front end to tcpdump that performs packet captures which can then be viewed or downloaded for deeper analysis in Wireshark. Because of its simplicity, it can only offer a few options for filtering desired traffic. Even with its limitations, it is sufficient for the capturing needs of most users. If the options available in the GUI are too limiting, skip ahead to Using tcpdump from the command line.

Getting a Packet Capture

To make a packet capture in the GUI, navigate to Diagnostics > Packet Capture.

Configure the options on the page as follows:

Interface:

The network interface from which packets will be captured. Each assigned interface on the firewall will appear in the list, along with one entry for IPsec, and individual entries for each OpenVPN client and server.

Enable Promiscuous Mode:
 

When checked, a capture will include all traffic arriving on the NIC for any destination MAC Address. Without promiscuous mode, only traffic destined for the host or broadcast will be captured. Certain NICs do not handle promiscuous mode well, so this is unchecked by default.

Address Family:

Limits the capture to only IPv4 or only IPv6 traffic. This is useful when not filtering by IP address.

Protocol:

Lists common protocols such as TCP, UDP, ICMP, ICMP6, CARP and others, and an exclusion option for each. To limit the capture to one of these protocols, select it from the list. To exclude one of the protocols, choose the option for the protocol prefixed with Exclude. The GUI will reject an attempt to submit an invalid combination (e.g.IPv4 only and ICMP6).

Host Address:

Filters traffic going to or from a specific host or CIDR-masked subnet. Leave the field blank to capture traffic to and from any host. Some logic is possible using this field:

Exclusions:Prefix an address with ! to exclude it from the capture
Boolean AND:Join two addresses with a comma (,) to capture traffic between only the specified hosts (e.g. x.x.x.x,y.y.y.y)
Boolean OR:Join two or more hosts with a pipe (|) to capture traffic to or from any of the specified hosts. (e.g. x.x.x.x|y.y.y.y|z.z.z.z)
Port:

Fill in a port number to limit the capture to only TCP or UDP matching the specified port as a source or destination port.

Packet Length:

Sets the size of the packet itself to capture. Usually the full packet is best (0), but for captures run over longer periods of time where the headers matter more than the payload of the packets, limiting this to 64 bytes or so will result in a much smaller capture file that may still have adequate data for troubleshooting purposes.

Count:

Determines how many packets to capture before stopping. If the capture is not limited in any way, bear in mind that this may be “noisy” and this value might need to increase significantly past the default of 100, such as 1000 or 10000.

Level of Detail:
 

Selects the amount of detail to display in the GUI when viewing a capture. It does not change the level of detail in the capture file itself. This value can be changed afterward, click fa-file-text-o View Capture to display the capture with the new detail level.

Reverse DNS Lookup:
 

Causes a reverse DNS lookup to be performed on hosts included in the packet capture. We do not recommend using this option as it will delay the output due to the extra time taken by reverse DNS lookups. Also it is easier to troubleshoot when viewing IP addresses instead of hostnames, and reverse DNS can sometimes be inaccurate.

Click fa-play-circle Start to begin capturing packets. The page will display “Packet Capture is running” across the bottom, indicating the capture is in process.

Click fa-stop-circle Stop to manually end the capture and view the output. If a maximum packet count was specified for the capture, it will stop automatically when that count is reached.

Viewing the Captured Data

The capture output can be viewed in the WebGUI, or downloaded for later viewing in a program such as Wireshark. For more detail on using Wireshark to view a capture file, see Viewing Packet Capture File later in this chapter.

When the packet capture page is loaded after a capture has been completed, a fa-file-text-o View Capture button is presented that will display the packets from the last capture run. Select the Level of Detail option before clicking this button to adjust the contents of the display.

Click fa-download Download Capture to download this file for later viewing.

The output shown in the Packets Captured frame is in standard tcpdump style.