Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Capturing traffic using tcpdump?

    Scheduled Pinned Locked Moved General pfSense Questions
    33 Posts 3 Posters 3.9k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @furom
      last edited by johnpoz

      @furom well just sniffing on the lan side interface might not give you the whole picture, you might want to sniff on both wan side and lan side.

      While sure you might see retrans of acks on your lan side for data that doesn't show up, did it just not show up on the wan? You would want to rule on pfsense I would think, etc.

      You may need to sniff on the client as well - is this connection your streaming with wireless?

      Most of my media players (sticks) are wireless for example - while my tv is wired.. So if I was seeing problems on the sticks, but not the tv it might be wireless that is the problem, etc.

      Are all your media players wired or wireless? Do you see it on both wired and wireless?

      Either way your most likely going to want to filter it on something, grabbing all your traffic could be lots of traffic.. I take in this vlan 11 is only your media players? if not - you may want to atleast filter on IP of the media player your using for troubleshooting..

      Are you using IPv6? First thing I would do if having such an issue is try and determine if only happens with IPv6 - disable of IPv6 might be a good first start without having to do any sniffing as of yet.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      F 1 Reply Last reply Reply Quote 1
      • F Offline
        furom @johnpoz
        last edited by

        @johnpoz said in Capturing traffic using tcpdump?:

        @furom well just sniffing on the lan side interface might not give you the whole picture, you might want to sniff on both wan side and lan side.

        While sure you might see retrans of acks on your lan side for data that doesn't show up, did it just not show up on the wan? You would want to rule on pfsense I would think, etc.

        You may need to sniff on the client as well - is this connection your streaming with wireless?

        No it's wired, I don't use wireless unless I have to

        Most of my media players (sticks) are wireless for example - while my tv is wired.. So if I was seeing problems on the sticks, but not the tv it might be wireless that is the problem, etc.

        Are all your media players wired or wireless? Do you see it on both wired and wireless?

        Also wired. I find those more reliable

        Either way your most likely going to want to filter it on something, grabbing all your traffic could be lots of traffic.. I take in this vlan 11 is only your media players? if not - you may want to atleast filter on IP of the media player your using for troubleshooting..

        True, this is the lan I keep streamers etc on. Right now just one, so fairly easy to single out... :O

        Are you using IPv6? First thing I would do if having such an issue is try and determine if only happens with IPv6 - disable of IPv6 might be a good first start without having to do any sniffing as of yet.

        No, that is an upcoming thing, to enable IPv6, but for now disabled

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @furom
          last edited by

          @furom said in Capturing traffic using tcpdump?:

          No it's wired, I don't use wireless unless I have to

          Same here.. Wireless is for stuff that moves ;) heheh

          If you get some sniffs - happy to take a look see.. but intermittent issues like this can be difficult to track down sometimes.. What is the media player you are using? It happens on all services, netflix, amazon prime, hulu, etc. ? Do you have a local system like plex or emby, jellyfin, etc.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          F 1 Reply Last reply Reply Quote 1
          • F Offline
            furom @johnpoz
            last edited by furom

            @johnpoz said in Capturing traffic using tcpdump?:

            @furom said in Capturing traffic using tcpdump?:

            No it's wired, I don't use wireless unless I have to

            Same here.. Wireless is for stuff that moves ;) heheh

            If you get some sniffs - happy to take a look see.. but intermittent issues like this can be difficult to track down sometimes.. What is the media player you are using? It happens on all services, netflix, amazon prime, hulu, etc. ? Do you have a local system like plex or emby, jellyfin, etc.

            I use an Apple TV to play Spotify. And no, it is only noticeably for music. Netflix and such happily plays along.

            One thing that comes to mind now, before going on a wild goose chase... Spotify is at times unhappy with the network settings and complains "Check your network to continue listening" etc I am not convinced the two are related though, but just to mention. I did have this happen during a sniff, but only for the internal network, and by briefly looking at it, it looked very similar to all the rest. Some strange stuff of a "googleuser" in there too, I don't use google where I can avoid it, and certainly has no users connected, so hopefully it is something quite normal...

            It wouldn't pose a problem capturing on two interfaces simultaneously? Say lan and wan?
            File had grown quite big, ~ 500MB, Perhaps 30 minutes was a little too much, 10 minutes should be plenty...

            This is the rules Spotify has to cope with, and complains about occasionally;
            3223ab2f-53ca-4874-bbdf-1b7c49c6c29a-image.png

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Mmm, I would be looking for errors or blocked traffic. It could be very hard to find the actual outage in a file that size. And it will be hidden by the fact that spotify will be buffering traffic so it likely won't align with when it actually stopped playing.

              F 1 Reply Last reply Reply Quote 1
              • F Offline
                furom @stephenw10
                last edited by

                @stephenw10 said in Capturing traffic using tcpdump?:

                Mmm, I would be looking for errors or blocked traffic. It could be very hard to find the actual outage in a file that size. And it will be hidden by the fact that spotify will be buffering traffic so it likely won't align with when it actually stopped playing.

                Well, agreed. What I see is not easy to read... I do not see any errors on WAN though. What would "blocked traffic" look like? I see some sort of "frame" that repeats, showing a MAC to another MAC
                379f0108-808d-4c26-8802-b2f3cb727831-image.png

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  If not as blocks in the firewall log then as a load of TCP retransmissions in the pcap.

                  F 1 Reply Last reply Reply Quote 1
                  • F Offline
                    furom @stephenw10
                    last edited by

                    @stephenw10 said in Capturing traffic using tcpdump?:

                    If not as blocks in the firewall log then as a load of TCP retransmissions in the pcap.

                    I don't see any of those either pror to or around the time of the outage. How big of a buffer are we talking about for spotify? Seconds, minutes? When unplugging WAN, it continues to play for a little while, but not very... Perhaps should just try again... :)

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      No idea I don't use Spotify. It's probably configurable somewhere. I'd guess a few minutes.

                      F 1 Reply Last reply Reply Quote 0
                      • F Offline
                        furom @stephenw10
                        last edited by

                        @stephenw10 Well, from what I could find it seems to differ with available storage, so will be even harder I suppose

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator @furom
                          last edited by

                          @furom so what error is your client spewing exactly? Does it want you to be using some doh dns? Does it think your internet connection is down, ie doesn't have internet?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          F 1 Reply Last reply Reply Quote 0
                          • F Offline
                            furom @johnpoz
                            last edited by furom

                            @johnpoz said in Capturing traffic using tcpdump?:

                            @furom so what error is your client spewing exactly? Does it want you to be using some doh dns? Does it think your internet connection is down, ie doesn't have internet?

                            That is the thing... I can't see any errors at all... Occasional packets has zero length, but that is by no means aligned or proportional to the sound-cuts...

                            Edit: I seem to have used the command wrong, or slightly. Using "-w" creates a binary file, unsure why one would want that. I did instead use ">" which produced a readable format. I suppose the binary could be used in wireshark etc perhaps...? But they seem pretty similar

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              But presumably the client itself throws an error when it stops playing?

                              F 1 Reply Last reply Reply Quote 0
                              • F Offline
                                furom @stephenw10
                                last edited by

                                @stephenw10 said in Capturing traffic using tcpdump?:

                                But presumably the client itself throws an error when it stops playing?

                                If I were to describe it, it's like the stream is paused, or volume lowered really. If I didn't know better (do I??) I could almost think someone had access to my control it... The client continues just fine after every occurrence. I know the Apple TV doesn't have a log, at least their support tells me that. Yesterday the frequency of their occurrence was a lot higher than before... Whatever that could mean.

                                My hope was to use the packet stream/capture as the "log", but yes, is immensely harder, if even possible.

                                Question is perhaps if there are any client that has a log that will show what is really going on between my client and the player - if that is what is relevant to look at...

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Yes, I would approach this using a different client. Try using a desktop spotify client and make sure that still hits the issue first. That might at least have more debugging options asusming it does hit it. Of course if it doesn't that implies it's something with the appleTV or at least the way it runs spotify.

                                  F 1 Reply Last reply Reply Quote 1
                                  • F Offline
                                    furom @stephenw10
                                    last edited by furom

                                    @stephenw10 I will, if nothing else to possibly rule something out. As previously said, I don't really think this is either the player, nor Spotify even, as I have changed all of it.. but still, can't explain it

                                    Edit: Installed the Spotify client and it just happened again. Have not had time to figure out if there are any logs yet, but issue remains

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator @furom
                                      last edited by

                                      @furom so you installed spotify on your windows pc and your still having the issue - while not a big spotify user, I have my own music collection on my plex that I use.. My dead collection has way more than spotify does ;) heheh

                                      dead.jpg

                                      I count like only 162 on spotify ;) heheh

                                      But be happy to fire it up and see if I can hear your issue..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      F 2 Replies Last reply Reply Quote 1
                                      • F Offline
                                        furom @johnpoz
                                        last edited by

                                        @johnpoz said

                                        But be happy to fire it up and see if I can hear your issue..

                                        Thanks, I would be really surprised if it is a general issue, but a test is much appriciated :)

                                        1 Reply Last reply Reply Quote 0
                                        • F Offline
                                          furom @johnpoz
                                          last edited by

                                          @johnpoz said in Capturing traffic using tcpdump?:

                                          I count like only 162 on spotify ;) heheh

                                          LOL! Well, that's 162 more than I knowingly have heard. You make me curious, have to switch to try it out... Anyone in particular I should start with? :)

                                          johnpozJ 1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator @furom
                                            last edited by

                                            @furom are you asking like the best album to start with in listening to the dead? That is a really interesting question to be honest... Hmmm?

                                            What sort of music are you into currently?

                                            What got me on the bus, was a friend of mine playing friend of the devil to be honest.. On his guitar - so not really the dead, so then listened to a few of their versions of it, and then from then on was hooked. Saw my first show in 89.. After that - man was I hooked.. One regret is didn't get into them earlier hehah

                                            Give me a bit to think about it - don't want to steer you wrong.. And the type of music you currently enjoy could help in what might be best suited dead album/songs to get you started on your journey..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                            F 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.