tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone

pfthbst

Hi,
I have encountered that tcpdump v4.99.4 from pfSense v2.7.2 does not honour local timezone.

I've seen this behavior discussed at
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273807

FreeBSD Ports Collection already contains the patched tcpdump v4.99.4_1

When CE users can expect the update/patch to tcpdump v4.99.4_1?
Or how can I properly update the version myself?

Thank you in advance!

stephenw10

The fix is in dev so it will be in the next release: https://github.com/pfsense/FreeBSD-src/commits/devel-main/contrib/tcpdump

pfthbst

What is a safe method to replace tcpdump v4.99.4 with tcpdump v4.99.5

I plan to install it from:
https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tcpdump-4.99.5.pkg

tcpdump v4.99.5 requires 'libsmi'
(during installation it says: "tcpdump has a missing dependency: libsmi")

So, I plan to install it from:
https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/libsmi-0.4.8_2.pkg

Is this all safe for the integrity of the pfSense?

Gertjan

@pfthbst said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

Is this all safe for the integrity of the pfSense?

You tell us ^^

The FreeBSD package for pfSense was most probably compiled without "libsmi" support.

[24.11-RELEASE][root@pfSense.bhf.tld]/root: ldd /usr/sbin/tcpdump
/usr/sbin/tcpdump:
        libpcap.so.8 => /lib/libpcap.so.8 (0xc70fac64000)
        libcasper.so.1 => /lib/libcasper.so.1 (0xc70fb94f000)
        libcap_dns.so.2 => /lib/libcap_dns.so.2 (0xc70fd8a3000)
        libcrypto.so.30 => /lib/libcrypto.so.30 (0xc70fe278000)
        libc.so.7 => /lib/libc.so.7 (0xc70fee59000)
        libibverbs.so.1 => /lib/libibverbs.so.1 (0xc7100155000)
        libmlx5.so.1 => /lib/libmlx5.so.1 (0xc7100ffb000)
        libnv.so.1 => /lib/libnv.so.1 (0xc7101f8b000)
        libthr.so.3 => /lib/libthr.so.3 (0xc7102cae000)
        libsys.so.7 => /lib/libsys.so.7 (0xc7102e6c000)
        [vdso] (0xc70fab77000)

You could install a native FreeBSD, get as close a possible at the "14.x" that pfSense uses.
Then build your own tcpdump.

Btw : Imho : Probably not worth just to correct a time stamp ...

pfthbst

@Gertjan

What I did.

$ mkdir -p /usr/temp/packages/tcpdump
$ fetch -o /usr/temp/packages/tcpdump https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tcpdump-4.99.5.pkg
/usr/temp/packages/tcpdump/tcpdump-4.99.5.pkg 426 kB 1955 kBps 00s

$ pkg info -F /usr/temp/packages/tcpdump/tcpdump-4.99.5.pkg
tcpdump-4.99.5
Name : tcpdump
Version : 4.99.5
Origin : net/tcpdump
Architecture : FreeBSD:14:amd64
Prefix : /usr/local
Categories : net
Licenses : BSD3CLAUSE
Maintainer : garga@FreeBSD.org
WWW : https://www.tcpdump.org/
Comment : Ubiquitous network traffic analysis tool
Options :
CHROOT : off
CRYPTO : on
SMB : on
SMI : on
USER : off
Shared Libs required:
libpcap.so.1
libcasper.so.1
libcap_dns.so.2
libcrypto.so.30
libc.so.7
Annotations :
build_timestamp: 2025-01-30T20:32:03+0000
ports_top_git_hash: 182ff2d0ad
ports_top_checkout_unclean: no
port_git_hash : ae2a199510
port_checkout_unclean: no
built_by : poudriere-git-3.4.2
cpe : cpe:2.3:a:tcpdump:tcpdump:4.99.5:::::freebsd14:x64
FreeBSD_version: 1401000
Flat size : 1.10MiB
Description :
tcpdump is a ubiquitous network traffic capture tool available in a wide
variety of BSD, Linux and UN*X distributions.

Whilst FreeBSD has a vendor branch import of tcpdump in its source tree,
the purpose of the port is to provide a means of offering additional,
bleeding-edge features which might not make it into the tree.

$ pkg install /usr/temp/packages/tcpdump/tcpdump-4.99.5.pkg
Updating pfSense-core repository catalogue...
Fetching meta.conf: 0%
Fetching packagesite.pkg: 0%
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf: 0%
Fetching packagesite.pkg: 0%
pfSense repository is up to date.
All repositories are up to date.
pkg: tcpdump has a missing dependency: libsmi

So, I installed the "libsmi" from https://pkgs.org/download/libsmi

$ mkdir -p /usr/temp/packages/libsmi
$ fetch -o /usr/temp/packages/libsmi https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/libsmi-0.4.8_2.pkg
/usr/temp/packages/libsmi 2024 kB 929 kBps 02s

$ pkg install /usr/temp/packages/libsmi/libsmi-0.4.8_2.pkg
Updating pfSense-core repository catalogue...
Fetching meta.conf: 0%
Fetching packagesite.pkg: 0%
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf: 0%
Fetching packagesite.pkg: 0%
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
libsmi: 0.4.8_2 [unknown-repository]

Number of packages to be installed: 1

The process will require 16 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Installing libsmi-0.4.8_2...
Extracting libsmi-0.4.8_2: 100% 378 B 0.4kB/s 00:01

Now I tried to install the tcpdump-4.99.5.pkg again:

$ pkg install /usr/temp/packages/tcpdump/tcpdump-4.99.5.pkg
Updating pfSense-core repository catalogue...
Fetching meta.conf: 0%
Fetching packagesite.pkg: 0%
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf: 0%
Fetching packagesite.pkg: 0%
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
tcpdump: 4.99.5 [unknown-repository]

Number of packages to be installed: 1

The process will require 1 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Installing tcpdump-4.99.5...
Extracting tcpdump-4.99.5: 100% 5 B 0.0kB/s 00:01

As a result, a new version of tcpdump was installed in /usr/local/sbin/
ls -l /usr/local/sbin/tcpdum*
-r-xr-xr-x 1 root wheel 1134032 Jan 30 22:32 /usr/local/sbin/tcpdump
-rw-r--r-- 1 root wheel 436586 Feb 14 16:26 /usr/local/sbin/tcpdump.pkgsave

Now I have replaced the old version with the new one:
$ cp /usr/local/sbin/tcpdump /usr/sbin/tcpdump

Check the version of the new tcpdump:
$ /usr/sbin/tcpdump --version
tcpdump version 4.99.5
libpcap version 1.10.4
OpenSSL 3.0.12 24 Oct 2023
64-bit build, 64-bit time_t

$ ldd /usr/sbin/tcpdump
/usr/sbin/tcpdump:
libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x5da19a9a000)
libcasper.so.1 => /lib/libcasper.so.1 (0x5da1a878000)
libcap_dns.so.2 => /lib/libcap_dns.so.2 (0x5da1b344000)
libcrypto.so.30 => /lib/libcrypto.so.30 (0x5da1b882000)
libc.so.7 => /lib/libc.so.7 (0x5da1d635000)
libibverbs.so.1 => /lib/libibverbs.so.1 (0x5da1c91e000)
libnv.so.1 => /lib/libnv.so.1 (0x5da1de6a000)
libthr.so.3 => /lib/libthr.so.3 (0x5da1e6ef000)
[vdso] (0x5da18c6c620)

The native tcpdump from pfSense 2.7.2 for comparison:

$ /usr/sbin/tcpdump --version
tcpdump version 4.99.4
libpcap version 1.10.4
OpenSSL 3.0.12 24 Oct 2023

$ ldd /usr/sbin/tcpdump
/usr/sbin/tcpdump:
libpcap.so.8 => /lib/libpcap.so.8 (0x23e627f69000)
libcasper.so.1 => /lib/libcasper.so.1 (0x23e62958a000)
libcap_dns.so.2 => /lib/libcap_dns.so.2 (0x23e628203000)
libcrypto.so.30 => /lib/libcrypto.so.30 (0x23e629bda000)
libc.so.7 => /lib/libc.so.7 (0x23e62af79000)
libibverbs.so.1 => /lib/libibverbs.so.1 (0x23e628254000)
libmlx5.so.1 => /lib/libmlx5.so.1 (0x23e628ff5000)
libnv.so.1 => /lib/libnv.so.1 (0x23e62baa1000)
libthr.so.3 => /lib/libthr.so.3 (0x23e62ce00000)
[vdso] (0x23e626e6e620)

pfthbst

I now have a “good” version of the tcpdump.
But my skills don't allow me to adequately assess the potential risks and new integrity of pfSense.

slu

@pfthbst said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

I now have a “good” version of the tcpdump.

And maybe a lots of fun with the next pfSense update...

Gertjan

@pfthbst

You took both packages from https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/... so they are most probably ok.
If 'libsmi ' is just a library file (like a DLL) then it exposes functionality to the OS/system and running exectubles, and the installing is just a file copied in place like /usr/local/lib/ , and doesn't make any other file changes, then you are imho ok.

There is just one thing to keep in mind : you use 'code' on your pfSense that hasn't been audited by Netgate. I presume that Netgate, before they adopt a new library, they use the packet source, look into it, see what it does, fork it to adapt functionality or remove (!) functionality, before they use it to build a new pfSense version.
That is, that is how I would do it.

pfthbst

@Gertjan said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

@pfthbst

You took both packages from https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/... so they are most probably ok.
If 'libsmi ' is just a library file (like a DLL) then it exposes functionality to the OS/system and running exectubles, and the installing is just a file copied in place like /usr/local/lib/ , and doesn't make any other file changes, then you are imho ok.

There is just one thing to keep in mind : you use 'code' on your pfSense that hasn't been audited by Netgate. I presume that Netgate, before they adopt a new library, they use the packet source, look into it, see what it does, fork it to adapt functionality or remove (!) functionality, before they use it to build a new pfSense version.
That is, that is how I would do it.

Thanks, if I understand correctly, I potentially have a less reliable and less secure firewall now.

pfthbst

@slu said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

@pfthbst said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

I now have a “good” version of the tcpdump.

And maybe a lots of fun with the next pfSense update...

Yes, I've already had a lot of fun upgrading to 2.7.2 ))

stephenw10

Yeah, I would say it's unlikely you'll have any problems there because it's didn't pull in any other pkgs as dependencies. Where you usually run into issues is when a bunch of the default pfSense pkgs get replaced by newer versions from FreeBSD but they don't have any of the pfSense patches.

pfthbst

@stephenw10

Now I'm really calmed down, thank you!