Dump all blocked packets?
-
Is it possible to do a tcpdump on all the packets that the firewall blocks?
-
No, there isn't. The firewall log is obtained using tcpdump on the pflog interface, but it doesn't capture the full packet, just the header and in some cases a partial payload.
If you run a packet capture directly on the interface, you'll get all packets, passed and blocked.
-
Thanks for the info! I was closing my eyes and hoping there was a magic bullet.
-
Would there be a way to do a firewall rule with a "redirect" to send it to a separate interface with a host capturing there? Maybe with the Gateway option under the Advanced Options for a firewall rule? Haven't tried this myself now…
-
not in the GUI.
pf has a dup-to keyword, iirc, but we don't have any way to express that in the GUI. Even so I think it only works on passed/routed packets and not blocked, but I may be wrong.