Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=ConfigPacketCapture

Configure capture filter

You can configure the number of bytes to be captured per packet.

How to configure the capture filter

  1. Go to Diagnostics > Packet capture and click Configure.

  2. Enter details to configure the capture filter:

    Setting Description
    Number of bytes to capture (per packet) Specify the number of bytes to be captured per packet.
    Wrap capture buffer once full Select this option to continue capturing the packets even after the buffer is full. If you select this option, Packet capture starts again from the beginning of the buffer.
    Enter BPF string Specify a Berkeley Packet Filter (BPF) string. BPF provides a raw interface between the link-level driver and the userspace. BPF is protocol-independent and uses a filter-before-buffering approach. It includes a machine abstraction to make the filtering efficient. For example, host 192.168.1.2 and port 137. For filtering specific packets, see BPF string parameters.

  3. Click Save.

BPF string parameters

Object Example
Specific host host 10.10.10.1
Specific source host src host 10.10.10.1
Specific destination host dst host 10.10.10.1
Specific network net 10.10.10.0
Specific source network src net 10.10.10.0
Specific destination network dst net 10.10.10.0
Specific port port 20 or port 21
Specific source port src port 21
Specific destination port dst port 21
Specific host for the particular port host 10.10.10.1 and port 21
the specific host for all the ports except SSH host 10.10.10.1 and port not 22
Specific protocol proto ICMP, proto UDP, proto TCP