Selecting the Proper Interface

To perform a packet capture, first determine the location from which to take the capture. A packet capture looks different depending upon the chosen interface and in certain scenarios it is better to capture on one specific interface, and in others, running multiple simultaneous captures on different interfaces is preferable.

Using tcpdump at the command line requires the “real” interface names that go with the friendly names shown in the firewall GUI. Visit Interfaces > Assignments and make a note of which OS interfaces (e.g. igb1), correspond with the friendly interfaces names on the firewall (e.g. WAN). Real Interfaces vs. Friendly Names lists common additional unassigned interface names that are present in many firewalls, depending on their configuration.

Real Interfaces vs. Friendly Names

Real/Physical Name

Friendly Name

enc0, ipsecX

IPsec, encrypted traffic

ovpncX, ovpnsX

OpenVPN, encrypted traffic (Clients, Servers)

pppoeX, poesX

PPPoE WAN, PPPoE Server

l2tpX, l2tpsX

L2TP WAN, L2TP Server

lo0

Loopback Interface

pfsync0

pfsync interface – used internally

pflog0

pf logging – used internally

When selecting an interface, start with where the traffic flows into the firewall. For example, if a user is having trouble connecting to a port forward from outside the network, start with the WAN interface since that is where the traffic originates. If a client PC cannot reach the Internet, start with the LAN interface. When in doubt, try multiple interfaces and filter for the IP addresses or ports in question, keeping in mind when NAT will be applied.