Bridging and using wireshark, howto or alternative
-
Hi all,
I'm using pfSense Embedded 1.2 release on WRAP. My ultimate goal is to log traffic in our network on a per IP basis. I basically want to know the amount of bandwith everyone uses.
I already know it would be possible with some packages, but since I run embedded, that's not an option. So my next solution is running Wireshark on a laptop and let it trace continuously. Our network looks like this:
WAN โ-> VDSL modem/router (in bridge mode) ---> pfSense on WRAP (WAN interface) ---> pfSense LAN interface ---> multiple switches (single /24 subnet)
Logging with Wireshark would be easy when plugging in a dumb hub at the pfSense LAN interface. However, i cannot find any dumb hub on the market these days (new or second hand). Also a managed switch with port mirroring is out of reach (financially)
Next option that i tried, was bridging the OPT1 interface with LAN, setting up 2 rules allowing traffic between LAN and OPT1 interfaces. This way, the laptop receives DHCP IP on the OPT1 interface from the LAN DHCP server. I see some traffic on the OPT1 interface, but only traffic to and from the laptop plus some broadcasts. Therefore, i think that this will not work, since pfSense's bridging acts as a switch and i don't see all LAN traffic.
Does anyone know a solution for reaching my goal by configuring pfSense to see all traffic on OPT1 or with some completely different method?
Thanks in advance to anyone reading.
Cheers, Marc
-
If you upgrade to 1.2.3-RELEASE on the WRAP, you can use packages, though 1.2.3 takes some fiddling to make it work on WRAP (See http://doc.pfsense.org/index.php/NanoBSD_on_WRAP )
I'm not sure which if any of the bandwidth monitoring packages would be suitable to run on a WRAP though. I think pfflowd would be the most likely choice as it just relays info to a netflow collector you run on another system.
If you want to remotely monitor via wireshark, I describe a technique in the book (pg. 472) that works to run a remote realtime capture over ssh from a FreeBSD/Linux/Mac workstation running wireshark that will collect the traffic live directly from the firewall.
-
Many thanks for indicating both options. I'll have to do some more reading now.
-
to remotely monitor via wireshark, I describe a technique in the book (pg. 472) that works to run a remote realtime capture
Wow! It's beautiful! What a pitty that here is only this "book" and absolutely nothing like a good old manpages!
Pls describe (just in common words, without detailed shell commands) this magic technique here too?
-
Nothing magical about it, I just wrote out details there, specific to pfSense.
It's covered in the Wireshark FAQ, actually: http://wiki.wireshark.org/CaptureSetup/Pipes#head-c2e8e0406864a26e2cee4fdb325f0ed832d684c6 - a well-formed Google search would have turned it up.
Basically it's grabbing the data through a remote ssh session.
-
Thnx. Unfortunately it's standard but too complex (especially for monitoring from Windows).
Is there any way to use "more normal" methods like Tazmen Sniffer Protocol (aka tzsp)?
-
As far as I'm aware, there is no support for tzsp. The only remote packet monitoring I've ever seen work is the wireshark method I was talking about. And you're right, it is not Windows-friendly. It works fine on Ubuntu, FreeBSD, even OS X.
These days it's pretty easy to slap a virtualbox VM with ubuntu on any OS for doing this kind of thing.
-
Wow! It's beautiful! What a pitty that here is only this "book" and absolutely nothing like a good old manpages!
Pls describe (just in common words, without detailed shell commands) this magic technique here too?
These types of responses really pain me. ย How much money have you saved by using pfSense and you cannot afford to purchase the book and help out the project?
Sad.
-
These types of responses really pain me.
How much money have you saved by using pfSense
You'll not believe โ nothing (zero, nada). @sullrich:
and you cannot afford to purchase the book
Absolutely! Just because
- a summ of book and delivery prices is about to a 1/5 of my monthly income from a place where I currently tests a pfSense and
- I din't like books when a ten or twenty of manpages are enough (and that's a well-known "good form" in an OSS world when a books exists simultaneously to a "base" documentation)