Packet Capture - Leave Page - Still Running

tnelson

Greetings all-

I'm running 2.0-RC1 on i386. If I start a capture via 'Diagnostics' -> 'Packet Capture', then leave the page and come back to the capture page, it looks as though there is no capture currently running. Instead of displaying a 'Stop' button, it shows the usual 'Start' and 'Download Capture' options. The only way to stop the capture is to kill it by PID (via shell or web command).

There was a similar capture issue reported here, but not quite the same:

http://forum.pfsense.org/index.php/topic,35523.0.html

Thoughts?

–Tim

cmb

Is it actually still running? Sounds like it just hit the packet count limit and stopped itself, and that maybe you're killing the tcpdump on pflog (which is firewall logs, has nothing to do with packet capture). Confirmed it does work correctly.

tnelson

I always set the packet count on my captures to 0. I just retested to confirm. I started a capture with packet count at 0, went to another page (ARP tables, not overly important, just providing details…). I went back to the packet capture page and it appears as though there is no capture running. However, when running 'ps aux | grep tcpdump', I see two processes:

$ ps ax | grep tcpdump | grep -v grep
24522  ??  S      0:00.15 /usr/sbin/tcpdump -i pppoe0 -s 0 -w /root/packetcaptu
19022  v0- S      0:21.34 /usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0

So, we have the regular pflog process, AND, the capture process I started on my WAN (pppoe0).

Please let me know if you need further information, and/or how I can help further.

jimp

Do you have the same problem if you run a capture on LAN or another interface? It could be related to how it's looking up the interface related to pppoe0 when trying to find its tcpdump process.

jimp

Also, you should be on the most recent snapshots to eliminate any other potential issues, we have committed many fixes to the packet capture page since the official RC1 dropped, you could be hitting a bug that has already been fixed (especially since we can't reproduce it).

https://github.com/bsdperimeter/pfsense/commits/master/usr/local/www/diag_packet_capture.php

tnelson

Testing on a different interface (LAN which is fxp1/VLAN192) proved the same behavior.

But yes, very good point. I'll upgrade to the latest snapshot to see if the issue is fixed. I have a feeling this commit could be relevant:

https://github.com/bsdperimeter/pfsense/blob/0c951d9bee2af9a48f297b90a11c9b3911c4ca05/usr/local/www/diag_packet_capture.php

–Tim

tnelson

My apologies for the noise… this issue appears to be resolved after updating to:

2.0-RC2 (i386)
built on Thu May 19 19:44:17 EDT 2011

Thanks!

--Tim