I am capturing traffic from the WAN side of a Draytek 2862 using port mirroring. With no capture filter all works as expected. However I am only interested in specific remote hosts so I create a capture filter of the form ‘pppoes and (src net nnn.nnn.nnn.nnn)’. This works as expected but of course I only see traffic from the source ip. I want to see any response from my router so I modify the capture filter to ‘pppoes and (src net nnn.nnn.nnn.nnn or dst net nnn.nnn.nnn.nnn). No traffic from my router to the destination is seen. The objective is to investigate remote sites probing my vpn - so it may be correct that my system is stealthed and does not respond. But I want to be sure so I repeat the test with a ping from my system to some remote host. With no capture filter I see ping requests and responses. With the filter set as described I only see ping responses. With filter set as ‘pppoes and (dst net nnn.nnn.nnn.nnn)’ I see nothing. Can anyone shed light on this please?