packet capture firewalled?

Started by 150d, August 29, 2025, 12:57:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 29, 2025, 12:57:08 PM
Hi everyone,

my firewall blocks some packets that I'd like to inspect further. But when I use "packet capture" on the interface, I don't see these packets. Is this because the packet filter runs before the packet capture, so that packets that are not let in by the firewall rule don't even make it to the packet capture?

Is there a way around that (to capture even packets not allowed into the firewall by a rule on the interface in question?)

(I had already checked the "promiscuous" box on the capture job.)

Regards
August 29, 2025, 01:00:57 PM #1
Two useful questions: are you using IPS? What version are you on?


Cheers,
Franco
August 29, 2025, 01:06:46 PM #2
Sorry:

No, I don't use IPS.

Version is 25.7.2.
August 29, 2025, 01:09:42 PM #3
Ok, and what packets are you expecting that you're not seeing?


Cheers,
Franco
August 29, 2025, 01:14:00 PM #4
Quote from: 150d on August 29, 2025, 12:57:08 PMIs this because the packet filter runs before the packet capture, so that packets that are not let in by the firewall rule don't even make it to the packet capture?

Packet capture runs before/below anything else. If you do not see a particular packet on a particular interface in promiscuous mode, that is because it's not there.

Make sure to eliminate glitches caused by DNS lookups by running e.g.

Code Select
tcpdump -n -i <interface>
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 29, 2025, 01:22:28 PM #5
E.g. this packet:

(from firewall/log/live)

__timestamp__   2025-08-29T13:17:29
action   [block]
anchorname   
datalen   354
dir   [in]
dst   10.1.1.5
dstport   67
ecn   
id   62914
interface   igc0_vlan5
interface_name   VLAN5_IoT
ipflags   DF
ipversion   4
label   block to unrestricted VLANs
length   374
offset   0
protoname   udp
protonum   17
reason   match
rid   ccafb7f40b2dd9edf15670b0fdcbd410
rulenr   109
src   10.5.1.109
srcport   68
subrulenr   
tos   0x0
ttl   64

10.1.1.5 is a DHCP server, the client (10.5.1.109) is sending a unicast packet to the server. It shouldn't do that, there is a DHCP relay running on OPNsense which should handle all DHCP broadcasts (and which is working fine.)

I wanted to look at the packet to get a clue as to why the client is behaving in this way.
August 29, 2025, 01:24:25 PM #6
QuoteMake sure to eliminate glitches caused by DNS lookups by running e.g.
Code Select
tcpdump -n -i <interface>
Does it make a difference that I'm using the GUI capture instead of running tcpdump on the console myself?
August 29, 2025, 01:32:58 PM #7
No idea, never used the UI.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 29, 2025, 01:34:41 PM #8
Okay, now that's different:

When I run tcpdump on the console, the missing packets are there. They are not there if I run a capture job on the GUI for the same interface, with or without promiscuous mode.
Print
Go Up Pages1
User actions