Install Wireshark on 2.3.1

JKnott

That is what I'm trying to figure out how to do.  As I mentioned, I'm quite familiar with Linux, but not FreeBSD and it appears some of the tools one might use are not included with pfsense.  That's why i'm asking for help on how to do this.  If I already knew, I wouldn't be asking.

Derelict

Downloading packet captures from your firewall to view in Wireshark on your management workstation is not sufficient?

JKnott

Some times I want to see at the firewall.  Also, some devices cannot run Wireshark.  My firewall had been running openSUSE Linux for years and it was no problem to install Wireshark & run on it.  The only reason I switched to pfsense is openSUSE doesn't yet support dhcpv6-pd, which is necessary to get an IPv6 prefix, from my ISP, on my network.

BTW, this is the article I found to install Wireshark on an earlier version of pfsense but, as I mentioned, the instructions don't work on 2.3.1.
https://turbofuture.com/computers/How-to-Run-Wireshark-on-pfSense-Using-X11-Forwarding-Over-SSH

I'd like to find something similar for 2.3.1.

heper

i agree with derelict on just sending the captures towards a remote client, but if you insist you could try below AT YOUR OWN RISK:

64bit

pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/wireshark-2.0.2.txz

32bit

pkg add http://pkg.freebsd.org/freebsd:10:x86:32/release_3/All/wireshark-2.0.2.txz

i have not tried this, chances are you'll be missing dependencies that you'd need to add manually

NOYB

Why install all that.  Can't the same thing be accomplished with an ssh tunnel and netcat or plink, or other ssh tools at the client end?

pfSense already has tcpdump and ssh.  Nothing more should be needed on the pfSense end.

All that really should be needed is to establish an ssh tunnel, run a remote tcpdump command and pipe it to wireshark or whatever tool is being used on the client.

Remote Packet Capture
https://forum.pfsense.org/index.php?topic=89917.msg497700

Long term traffic capture with tcpdump over netcat
https://forum.pfsense.org/index.php?topic=108668.msg607063#msg607063

JKnott

I have found this site that contains both wireshark and xauth.  Hopefully they'll do the trick.  They so seem a bit old though.

http://ftpmirror.your.org/pub/FreeBSD-Unofficial-Packages/100amd64-default/All/

JKnott

i have not tried this, chances are you'll be missing dependencies that you'd need to add manually

I found one already for xauth, gdk-pixbuf2.

jimp

Do not install wireshark (or anything that needs/wants X11) anywhere near a firewall. Horrible idea.

You can pipe tcpdump data to wireshark over SSH, which is much better than attempting to put X11 binaries on the firewall. IIRC you could maybe use tshark to do similar (or more) things, like shown on https://www.howtoforge.com/wireshark-remote-capturing or with something like:

# wireshark -k -i <(ssh root@192.168.1.1 tcpdump -i  igb1 -U -w - not tcp port 22)

You'll need ssh setup to use key-based auth so you don't get a password prompt, and ssh-agent so you don't get an interactive prompt for the key.

cmb

Yes, what jimp said. The dependencies required to get Wireshark running are absurdly long and you'll almost certainly break something. tcpdump is there, and all you need on that system.

2chemlud

Good time to share this absolutely cool post by Grünsfröschli:

https://forum.pfsense.org/index.php?topic=107605.0

:-D