In both the help from the XG Firewall and in the Knowledge base article: "Sophos Firewall: How to monitor traffic using packet capture utility in the GUI", article #123189 there is a reference for the BPF string for an specific network, with an example of net 10.10.10.0 (from the XG help) or net 192.168.1.0 (from the KB article). However, these examples will not work (i.e. no traffic captured). If the network you wish to capture is 192.168.1.0 with a netmask of 255.255.255.0, you could use net 192.168.1 (note the missing last octet of the IP address. However, the better example for this is to use net 192.168.1.0/24 as this also works for any VLSM mask. You could also use "net 192.168.1.0 mask 255.255.255.0", but this will only work for IPv4 networks, while the slash mask notation will work for both IPv4 and IPv6.
I discovered this while trying to solve a firewall rule and was looking for any traffic from the 192.168.5.0/24 network. When I followed the listed examples, I got no traffic captured. Finally I searched the web and discovered the syntax rules at https://biot.com/capstats/bpf.html which explained why the example was wrong.
Please update the following examples (from http://docs.sophos.com/nsg/sophos-firewall/v16056/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FConfigPacketCapture.html%23wwconnect_header) and the KB article:
incorrect text:
specific network net 10.10.10.0
specific source network src net 10.10.10.0
specific destination network dst net 10.10.10.0
to be:
specific network net 10.10.10.0/24
specific source network src net 10.10.10.0/24
specific destination network dst net 10.10.10.0/24
Thanks!
This thread was automatically locked due to age.
