Packet capture not working?

lagreca · Dec 17, 2009, 12:40 AM

I started a packet capture on firmware 1.2.3-RELEASE built on Mon Dec 7 23:21:58 EST 2009. This is on an Alix 2c3, nanobsd on 2 GB CF card.

It starts, then stops a few seconds later, capturing NOTHING! I've tried changing it to the LAN and changing the level of detail.

What is going on?

jimp · Dec 17, 2009, 4:56 PM

Do any errors show up on the screen when you make the capture?

I thought it worked last time I tried it, but I don't have a ALIX Nano test box handy that has 1.2.3-RELEASE on it and is connected to a network at the moment.

dotdash · Dec 17, 2009, 7:28 PM

Did a quick test on an Alix running 1.2.3 release and I can confirm the issue.

jimp · Dec 18, 2009, 2:43 AM

It is broken, there are a few more confirmations, and some fixes have been committed. You can look at the commit log and replicate the fix if you need to have it functional anytime soon.

lagreca · Dec 18, 2009, 4:22 PM

Sorry, but I'm not really familiar with the "commit log". Is this something fairly easy to do, or does it require recompiling something?

When will this fix be available to the general public?

dotdash · Dec 18, 2009, 5:57 PM

I'd think it would be this one:
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/6eddeb954a6859d76fa8c210fa267569403f0062

edit: Most of this appears to be formatting cleanup. From a quick read-over, this appears to be the important bit:
259 }
260 else //action = stop
261 {
262
248 } else {
249 //action = stop

lagreca · Dec 18, 2009, 10:18 PM

I tried to find the file in the repo today, but failed. Would it be possible for someone to post a link to download the latest file? That way i can download it and replace the version in the firewall. I really just need to get packet capture working in this firewall. Thanks.

jimp · Dec 18, 2009, 11:45 PM

Here's the whole file, as it appears in the repo currently:

http://pingle.org/files/diag_packet_capture.php.txt

There isn't a (currently) working web interface to pull arbitrary files out of the repo for RELENG_1_2.

dotdash · Dec 21, 2009, 7:17 PM

I tried using diagnostics, edit file to change the line I noted. Didn't work. I'm sure I did it wrong.
I went ahead and shelled into a 1.2.3 nano box, mounted rw, backed up the old file, fetched the new one from Jim's site, renamed it, flagged it executable. Now packet capture works as expected. Thanks Jim.

lagreca · Dec 21, 2009, 10:02 PM

@dotdash:

I tried using diagnostics, edit file to change the line I noted. Didn't work. I'm sure I did it wrong.
I went ahead and shelled into a 1.2.3 nano box, mounted rw, backed up the old file, fetched the new one from Jim's site, renamed it, flagged it executable. Now packet capture works as expected. Thanks Jim.

Care to give instructions on how this is done? I'm not sure how to mount the filesystem rw to change the contents of the file.

danswartz · Dec 21, 2009, 10:23 PM

you run /etc/rc.conf_mount_rw and then /etc/rc.conf_mount_ro to make it readonly again.

dotdash · Dec 21, 2009, 10:59 PM

Something like this:
ssh in
drop to shell ( 8 )
cd /usr/local/www
/etc/rc.conf_mount_rw
mv diag_packet_capture.php diag_packet_capture.php.old
fetch http://pingle.org/files/diag_packet_capture.php.txt
mv diag_packet_capture.php.txt diag_packet_capture.php
chmod +x diag_packet_capture.php
/etc/rc.conf_mount_ro

jimp · Dec 21, 2009, 11:00 PM

Or just:

fetch -o /usr/local/www/diag_packet_capture.php http://pingle.org/files/diag_packet_capture.php.txt

instead of the separate fetch and second mv commands.

lagreca · Dec 22, 2009, 4:14 AM

This fixed it for me:

ssh in
drop to shell ( 8 )
cd /usr/local/www
/etc/rc.conf_mount_rw
mv diag_packet_capture.php diag_packet_capture.php.old
fetch -o /usr/local/www/diag_packet_capture.php http://pingle.org/files/diag_packet_capture.php.txt
chmod +x diag_packet_capture.php
/etc/rc.conf_mount_ro

Thanks for the help!

Splock · Jun 19, 2010, 2:56 PM

Hi, this didn't quite work for me, but a variation of it did, so I'll post it, even though I make no claim to expertise of any kind. Thanks to those who replied above - it helped me find a "fix". I suspect it's not quite secure as it doesn't remount the volume as "ro" (read-only). I try to find a fix for that later. Any input would be appreciated.

I couldn't connect to jim's file on pingle.org - looks like the site is down maybe. However, when I did a line-by-line comparison of the file diag_packet_capture.php using pfsense's "edit file" in diagnostics (copied and pasted over to a file editor) compared to the commit file in dotdash's post, I noticed that my file contained the following (right at the end of the file):

conf_mount_ro();

include("fend.inc");

?>
which was not in the commit file. I did some google searching on conf_mount_ro() and I couldn't find it as a php function. Maybe I just didn't look correctly. I suspect it's supposed to be inside a system command like the line above it (system ("/usr/sbin/tcpdump …...etc). I did notice the conf_mount_rw(); us on top of the file, and that doesn't seem to cause a problem, so...........

Anyway, commenting out the line with //'s as follows

// conf_mount_ro();

makes the problem go away, and packet capture now works. I reversed the change to make sure that it was indeed this that was allowing it to work, and was able to confirm this.

Like I said, this is probably insecure, so I'll try playing with system ("/etc/rc.conf_mount_ro") next. If anyone knows how to make it work as a php function, please let me know. The fend.inc file does exist in the /usr/local/www directory, and leaving it alone seems to work just fine.

Of course, I'm not recommending this as a change because it's clearly taking out the command to re-convert the file to "ro", only as an indication that something might need fixing here. I do recommend that anyone wanting to try it copies a backup of the original diag_packet_capture.php to diag_packet_capture.php.old using pfsense's web interface "command" option in the Diagnostics section.

Hope this helps.

jimp · Jun 21, 2010, 1:33 PM

Try to get the file from my site again, it was offline for a bit that day due to some inclement weather (sadly, my server isn't on a UPS :-)

The fix that is in the repository for 1.2.3 does work, and works properly, and switches back to read only mode as it should.

Splock · Jun 24, 2010, 8:55 PM

Thank-you

jimp · Jun 24, 2010, 9:43 PM

Actually I had forgotten I made this into a package. Go to System > Packages, and install "Packet Capture Fix" and it should work after that.

HiTekRedNek · Oct 9, 2010, 10:58 PM

These instructions just saved my wall from having a boot sized hole in it. Thanks to Jim, the site and "the definitive guide"

Blair · Mar 26, 2011, 3:32 AM

Hi, I am brand new to this forum. Have been using BSD for about 5 years and pfsense for about a year (running on an Alix). I had noticed I couldn't get anything out of the packet capture function and never really played with it until recently. I am having a flaming nasty dispute with my ISP and really needed this to work. I did a search and found the posts talking about how this was broken on embedded and suggesting replacing a file. There were also some other patches proposed. Having poked around a bit in the file system I realized that the issue was that the file is being written to /root which is normally read only on the embedded version. The patch calls the PHP function that marks the file system read/write and sets it back to read only on exit. If you stay in that page and are not attempting to capture after you leave it then maybe that will work, but here is a much more stable (and easy) to apply fix:

1. Go to Diagnostics - Edit file.
2. Enter /usr/local/www/diag_packet_capture.php
3. Scroll down to just past the copyright notice for the line $fp = "/root/"
4. Change it to $fp = "/var/"

Save the file. Your packet capture should now work fine on 1.2.3 embedded. /var is a memory disk on embedded. Your captured data will not survive a reboot. I don't personally see this as an issue.