Is there any easy way to enable logging for every packet, blocked and passed?
I’m trying to lock some application which accesses network but firewall lets it work and I cannot see any event in the current log until I enable logging for every rule (there are many) already defined in the firewall policy.
Thank you.
Hello aikhome,
That’s not possible with CIS that would cause to much of network delay that your system would become to slow to work with.
Can you tell me which program we are talking about here ?
If you like to see every packet that leaves your system take a look a wireshark here
I do not need it forever, just for 5 minutes to make a diagnosis, so I can stand 3 times slowdown for a little 
Still no such a button? It should be VERY easy to implement…
And can wireshark show what particular process sent the packet? Because tcpdump cannot.
The process I’m trying to catch does not matter, I want to learn how to catch every trafic coming out of my computer.
No it can’t be done with CIS with it’s current implementation, even if you put logging on all rules it won’t log every hit because of to much overhead and log overloading…
You can use “View active connections” to see what application is running which traffic based on ports and ip’s.
Wireshark can’t match traffic to applications like tcpdump can’t either, you have to create that “link” your selfs based on the traffic ip ports uses destination ip’s and traffic data.
Please take in mind that using tcpdump/wireshark that outgoing traffic can be blocked by CIS before it leaves your Network interface, but it will show up in the capture because the firewall driver is “lower” in the system then the packet capture driver!
If you need a real view of the traffic you have to setup a capture on a system in between your pc and the rest of you network, or use a SPAN(Cisco) port on the switch to get an exact copy of the traffic send to and from that port.
As far as I know, traffic analysers don’t capture specific process information, however it will capture the port from which the packets originate, so you could, potentially, use that information, in conjunction with netstat, to get back to the PID…
I feel you are missing the point Overhead and overloading are not a problem if we consider this feature as “debug”, “don’t use it permanent” and so on. It is needed to configure the tool fine, not for daily work.
I cannot. The program I wanted to discover opens a connection, very quick does send-receive and close it. And the firewall does not keep history anyhow. It could like “Process Explorer” (the sysinternals.com tool) does for processes which were closed in last 5-10 seconds, but it does not.
You do not get it I am not seeking for help, I am offering a new useful feature to the product
Ops, sorry I misunderstand. :-[
Then your post is better suited for the firewall wish list board.