Selecting the Proper Interface

To perform a packet capture, first determine the location from which the capture must be taken. A packet capture will look different depending upon the chosen interface and in certain scenarios it is better to capture on one specific interface, and in others, running multiple simultaneous captures on different interfaces is preferable.

To use tcpdump at the command line, the “real” interface names that go with the friendly names shown in the WebGUI must be known. Visit Interfaces > (assign) and make a note of which physical interfaces (e.g. igb1), correspond with the friendly interfaces names on the firewall (e.g. WAN). Real Interfaces vs. Friendly Names lists common additional unassigned interface names that are present in many firewalls, depending on their configuration.

Real Interfaces vs. Friendly Names
Real/Physical Name Friendly Name
enc0 IPsec, encrypted traffic
ovpnc0 … ovpnc<x>, ovpns0 … ovpns<x> OpenVPN, encrypted traffic (Clients, Servers)
pppoe0 … pppoe<x>, poes0 … poes<x> PPPoE WAN, PPPoE Server
l2tp0 … l2tp<x>, l2tps0 … l2tps<x> L2TP WAN, L2TP Server
lo0 Loopback Interface
pfsync0 pfsync interface – used internally
pflog0 pf logging – used internally

When selecting an interface, start with where the traffic flows into the firewall. For example, if a user is having trouble connecting to a port forward from outside the network, start with the WAN interface since that is where the traffic originates. If a client PC cannot reach the Internet, start with the LAN interface. When in doubt, try multiple interfaces and filter for the IP addresses or ports in question, keeping in mind when NAT will be applied.