Print Page - packet capture firewalled?

Title: packet capture firewalled?
Post by: 150d on August 29, 2025, 12:57:08 PM

Hi everyone,

my firewall blocks some packets that I'd like to inspect further. But when I use "packet capture" on the interface, I don't see these packets. Is this because the packet filter runs before the packet capture, so that packets that are not let in by the firewall rule don't even make it to the packet capture?

Is there a way around that (to capture even packets not allowed into the firewall by a rule on the interface in question?)

(I had already checked the "promiscuous" box on the capture job.)

Regards

Title: Re: packet capture firewalled?
Post by: franco on August 29, 2025, 01:00:57 PM

Two useful questions: are you using IPS? What version are you on?

Cheers,
Franco

Title: Re: packet capture firewalled?
Post by: 150d on August 29, 2025, 01:06:46 PM

Sorry:

No, I don't use IPS.

Version is 25.7.2.

Title: Re: packet capture firewalled?
Post by: franco on August 29, 2025, 01:09:42 PM

Ok, and what packets are you expecting that you're not seeing?

Cheers,
Franco

Title: Re: packet capture firewalled?
Post by: Patrick M. Hausen on August 29, 2025, 01:14:00 PM

Quote from: 150d on August 29, 2025, 12:57:08 PMIs this because the packet filter runs before the packet capture, so that packets that are not let in by the firewall rule don't even make it to the packet capture?

Packet capture runs before/below anything else. If you do not see a particular packet on a particular interface in promiscuous mode, that is because it's not there.

Make sure to eliminate glitches caused by DNS lookups by running e.g.

Code Select

tcpdump -n -i <interface>

Title: Re: packet capture firewalled?
Post by: 150d on August 29, 2025, 01:22:28 PM

E.g. this packet:

(from firewall/log/live)

__timestamp__   2025-08-29T13:17:29
action   [block]
anchorname
datalen   354
dir   [in]
dst   10.1.1.5
dstport   67
ecn
id   62914
interface   igc0_vlan5
interface_name   VLAN5_IoT
ipflags   DF
ipversion   4
label   block to unrestricted VLANs
length   374
offset   0
protoname   udp
protonum   17
reason   match
rid   ccafb7f40b2dd9edf15670b0fdcbd410
rulenr   109
src   10.5.1.109
srcport   68
subrulenr
tos   0x0
ttl   64

10.1.1.5 is a DHCP server, the client (10.5.1.109) is sending a unicast packet to the server. It shouldn't do that, there is a DHCP relay running on OPNsense which should handle all DHCP broadcasts (and which is working fine.)

I wanted to look at the packet to get a clue as to why the client is behaving in this way.

Title: Re: packet capture firewalled?
Post by: 150d on August 29, 2025, 01:24:25 PM

QuoteMake sure to eliminate glitches caused by DNS lookups by running e.g.
Code Select Expand
tcpdump -n -i <interface>

Does it make a difference that I'm using the GUI capture instead of running tcpdump on the console myself?

Title: Re: packet capture firewalled?
Post by: Patrick M. Hausen on August 29, 2025, 01:32:58 PM

No idea, never used the UI.

Title: Re: packet capture firewalled?
Post by: 150d on August 29, 2025, 01:34:41 PM

Okay, now that's different:

When I run tcpdump on the console, the missing packets are there. They are not there if I run a capture job on the GUI for the same interface, with or without promiscuous mode.

OPNsense Forum

English Forums => 25.7 Series => Topic started by: 150d on August 29, 2025, 12:57:08 PM