Need to allow access to DVR in the WAN network to LAN computers
-
If your netgear was just being a AP then it wasn't doing any sort of nat.. And wasn't routing or anything it was just an AP.
It was converted to AP after pfsense installation, before pfsense it was the main Router/Firewall.
No I would not suggest installing snort. What I would suggest you could do is sniff on pfsense lan and wan and try and make a connection to see what is going on.
OK. There is a sniff package?
-
no package just under diagnostics, packet capture or fro ma prompt or ssh to it you can do tcpdump
-
I search and found this:
https://doc.pfsense.org/index.php/Sniffers,_Packet_Capture -
Run Diagnostic -> Packet Capture
Set Host to 192.168.0.99
Else left defaults.Output:
17:10:04.638345 ARP, Request who-has 192.168.0.99 tell 192.168.0.3, length 28
17:10:04.639323 ARP, Reply 192.168.0.99 is-at 00:17:4f:0c:3e:5c, length 46
17:10:04.639332 IP 192.168.0.3.16730 > 192.168.0.99.99: tcp 0
17:10:04.765719 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 0
17:10:04.765982 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 0
17:10:04.766120 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 0
17:10:04.766265 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 259
17:10:04.766602 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 0
17:10:04.807060 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 999
17:10:04.807116 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 0
17:10:04.807222 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 0
17:10:04.807622 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 0
17:10:04.808025 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
17:10:04.809060 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 0
17:10:04.809262 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 0
17:10:04.809378 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
17:10:04.809915 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 298
17:10:04.810486 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 0
17:10:04.820361 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 17
17:10:05.017506 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
17:10:05.075790 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 1024
17:10:05.084769 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 95
17:10:05.084930 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
17:10:05.089531 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
17:10:05.089864 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 0
17:10:05.236533 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 0
17:10:05.236766 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 0
17:10:05.236900 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 0
17:10:05.236975 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 92
17:10:05.237352 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 0
17:10:05.253688 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 201
17:10:05.254600 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 997
17:10:05.254732 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 0
17:10:05.254790 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 0
17:10:05.255046 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 0
17:10:05.356100 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 0
17:10:05.356342 IP 192.168.0.99.99 > 192.168.0.3.10889: tcp 0
17:10:05.356482 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 0
17:10:05.356610 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 72
17:10:05.356870 IP 192.168.0.99.99 > 192.168.0.3.10889: tcp 0
17:10:05.366405 IP 192.168.0.99.99 > 192.168.0.3.10889: tcp 522
17:10:05.366637 IP 192.168.0.99.99 > 192.168.0.3.10889: tcp 0
17:10:05.366829 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 0
17:10:05.370377 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 0
17:10:05.370472 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
17:10:05.371335 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
17:10:05.371449 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
17:10:05.371559 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 177
17:10:05.371569 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 242
17:10:05.372071 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
17:10:05.372079 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
17:10:48.857694 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 0
17:10:48.858534 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 0
17:10:48.858667 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 0
17:10:48.858788 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 92
17:10:48.859469 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 0
17:10:48.905379 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 201
17:10:48.911684 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 997
17:10:48.911867 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 0
17:10:48.911937 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 0
17:10:48.912247 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 0
17:10:48.959143 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 0
17:10:48.960577 IP 192.168.0.99.99 > 192.168.0.3.20616: tcp 0
17:10:48.960737 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 0
17:10:48.960790 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 72
17:10:48.961003 IP 192.168.0.99.99 > 192.168.0.3.20616: tcp 0
17:10:48.966558 IP 192.168.0.99.99 > 192.168.0.3.20616: tcp 522
17:10:48.966807 IP 192.168.0.99.99 > 192.168.0.3.20616: tcp 0
17:10:48.966935 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 0
17:10:48.970327 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 0
17:10:48.970449 IP 192.168.0.3.46976 > 192.168.0.99.99: tcp 0
17:10:48.971139 IP 192.168.0.99.99 > 192.168.0.3.46976: tcp 0
17:10:48.971254 IP 192.168.0.3.46976 > 192.168.0.99.99: tcp 0
17:10:48.971370 IP 192.168.0.3.46976 > 192.168.0.99.99: tcp 177
17:10:48.971380 IP 192.168.0.3.46976 > 192.168.0.99.99: tcp 242
17:10:48.971767 IP 192.168.0.99.99 > 192.168.0.3.46976: tcp 0
17:10:48.971774 IP 192.168.0.99.99 > 192.168.0.3.46976: tcp 0
17:10:49.086703 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1024
17:10:49.086780 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
17:10:49.086869 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
17:10:49.086923 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
17:10:49.087251 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 803
17:10:49.087359 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
17:10:49.103297 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 177
17:10:49.103332 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 241
17:10:49.103554 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
17:10:49.103641 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
17:10:49.117235 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1024
17:10:49.117264 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
17:10:49.117441 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
17:10:49.117445 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
17:10:49.117460 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
17:10:49.117602 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
17:10:49.117605 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
17:10:49.117681 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
17:10:49.117792 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
17:10:49.117812 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
17:10:49.118723 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 456
17:10:49.118867 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
17:10:49.122663 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1024 -
Yeah your going to want too download that into say wireshark.. That is just not enough info to try and figure out what is going on. But I don't see any multicast. But if you limited to IP then you wouldn't see that.
-
Repeat with same host but instead of normal selected full detail
Output:
17:15:07.399030 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26372, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.3.65355 > 192.168.0.99.99: Flags ~~, cksum 0x85d2 (correct), seq 3148123187, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:15:07.399482 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.99.99 > 192.168.0.3.65355: Flags [S.], cksum 0x8615 (correct), seq 769112275, ack 3148123188, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
17:15:07.399616 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26373, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.65355 > 192.168.0.99.99: Flags [.], cksum 0xfee9 (correct), seq 1, ack 1, win 256, length 0
17:15:07.399732 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 146: (tos 0x0, ttl 127, id 26374, offset 0, flags [DF], proto TCP (6), length 132)
192.168.0.3.65355 > 192.168.0.99.99: Flags [P.], cksum 0x629a (correct), seq 1:93, ack 1, win 256, length 92
17:15:07.400436 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33162, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.65355: Flags [.], cksum 0xe309 (correct), seq 1, ack 93, win 7300, length 0
17:15:07.449709 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 255: (tos 0x0, ttl 64, id 33163, offset 0, flags [DF], proto TCP (6), length 241)
192.168.0.99.99 > 192.168.0.3.65355: Flags [P.], cksum 0x83ce (correct), seq 1:202, ack 93, win 7300, length 201
17:15:07.452072 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 1051: (tos 0x0, ttl 64, id 33164, offset 0, flags [DF], proto TCP (6), length 1037)
192.168.0.99.99 > 192.168.0.3.65355: Flags [FP.], cksum 0xb8f8 (correct), seq 202:1199, ack 93, win 7300, length 997
17:15:07.452300 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26376, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.65355 > 192.168.0.99.99: Flags [.], cksum 0xf9e3 (correct), seq 93, ack 1200, win 251, length 0
17:15:07.452350 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26377, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.65355 > 192.168.0.99.99: Flags [F.], cksum 0xf9e2 (correct), seq 93, ack 1200, win 251, length 0
17:15:07.452542 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.65355: Flags [.], cksum 0xde59 (correct), seq 1200, ack 94, win 7300, length 0
17:15:07.496404 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26386, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.3.15956 > 192.168.0.99.99: Flags ~~, cksum 0x2e9c (correct), seq 4130761167, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:15:07.496687 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.99.99 > 192.168.0.3.15956: Flags [S.], cksum 0x09fe (correct), seq 329906146, ack 4130761168, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
17:15:07.496819 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26387, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.15956 > 192.168.0.99.99: Flags [.], cksum 0x82d2 (correct), seq 1, ack 1, win 256, length 0
17:15:07.496870 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 126: (tos 0x0, ttl 127, id 26388, offset 0, flags [DF], proto TCP (6), length 112)
192.168.0.3.15956 > 192.168.0.99.99: Flags [P.], cksum 0xbc2d (correct), seq 1:73, ack 1, win 256, length 72
17:15:07.498456 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 52875, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.15956: Flags [.], cksum 0x6706 (correct), seq 1, ack 73, win 7300, length 0
17:15:07.512679 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 576: (tos 0x0, ttl 64, id 52876, offset 0, flags [DF], proto TCP (6), length 562)
192.168.0.99.99 > 192.168.0.3.15956: Flags [P.], cksum 0xf776 (correct), seq 1:523, ack 73, win 7300, length 522
17:15:07.513030 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 52877, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.15956: Flags [F.], cksum 0x64fb (correct), seq 523, ack 73, win 7300, length 0
17:15:07.513150 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26390, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.15956 > 192.168.0.99.99: Flags [.], cksum 0x8081 (correct), seq 73, ack 524, win 254, length 0
17:15:07.516451 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26391, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.15956 > 192.168.0.99.99: Flags [R.], cksum 0x817b (correct), seq 73, ack 524, win 0, length 0
17:15:07.516539 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26392, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.3.1278 > 192.168.0.99.99: Flags ~~, cksum 0x8c3b (correct), seq 1103755763, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:15:07.518703 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.99.99 > 192.168.0.3.1278: Flags [S.], cksum 0xd1a7 (correct), seq 138385730, ack 1103755764, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
17:15:07.518848 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26393, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.1278 > 192.168.0.99.99: Flags [.], cksum 0x4a7c (correct), seq 1, ack 1, win 256, length 0
17:15:07.518959 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 231: (tos 0x0, ttl 127, id 26394, offset 0, flags [DF], proto TCP (6), length 217)
192.168.0.3.1278 > 192.168.0.99.99: Flags [P.], cksum 0x0b3d (correct), seq 1:178, ack 1, win 256, length 177
17:15:07.518969 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 296: (tos 0x0, ttl 127, id 26395, offset 0, flags [DF], proto TCP (6), length 282)
192.168.0.3.1278 > 192.168.0.99.99: Flags [P.], cksum 0x140b (correct), seq 178:420, ack 1, win 256, length 242
17:15:07.519914 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 41001, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.1278: Flags [.], cksum 0x2e47 (correct), seq 1, ack 178, win 7300, length 0
17:15:07.520037 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 41002, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.1278: Flags [.], cksum 0x2d55 (correct), seq 1, ack 420, win 7300, length 0
17:16:13.271446 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 29332, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.1278 > 192.168.0.99.99: Flags [R.], cksum 0x49d5 (correct), seq 420, ack 1, win 0, length 0Something in the output make it stricke with a line.~~~~~~
-
Change .cap to .txt to be able to download.
-
Yeah your going to want too download that into say wireshark.. That is just not enough info to try and figure out what is going on. But I don't see any multicast. But if you limited to IP then you wouldn't see that.
I dont have wireshark and has never use it before. I guess I can download if it is free, but use it is other story.
-
https://www.wireshark.org/
Yes it is free (v2.2.1 was just released), and there are a lot of tutorials online as to how to use it. Everyone who is responsible for maintaining a routing firewall should be familiar with packet capture and analysis. There are several books on Wireshark and you can even get training:
http://www.wiresharktraining.com/
-
Found some threads about RSTP but I think this are pertinent for devices in the internal network serving streaming to the external network or Internet:
https://www.mail-archive.com/support@pfsense.com/msg17749.html
https://www.mail-archive.com/support@pfsense.com/msg17758.htmlhttps://doc.pfsense.org/index.php/Static_Port
http://www.selectedintelligence.com/post/46429611973/pfsense-rtsp-and-rtpBut my case is inverted the source and destination, as the RSTP device is in the external network and the clients are in the internal network.
If this is pertinent to my problem could you explain to me in basic terms.
-
But I don't see any multicast. But if you limited to IP then you wouldn't see that.
Why wouldn't you see it? It's still IP.
FWIW, I can see multicast on my network.
-
I tried a capture again but selecting UDP only with the device IP.
Tried against LAN and WAN interface but did not capture anything UDP related. So either the firewall is blocking all UDP to/from the device or there was in fact none.
-
^^^^
One thing I did recently was buy a cheap 5 port managed switch, which I configured for port mirroring. This allows me to insert the switch between 2 devices and use Wireshark to monitor the traffic. With that, you could insert the switch between the DVR & pfSense box to see what's there, with far more info than the pfSense packet capture provides. You can also watch in real time. -
"with far more info than the pfSense packet capture provides. "
How is that exactly.. Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??
Clearly your getting a 401 error saying your NOT Authorized…
As to seeing if limiting to IP, I meant if he was limiting his sniff to a specific IP he would not see multicast traffic since it would be to the multicast address not his specific IP like 192.168.0.3 etc..
In the first part of the sniff your client ask for a manifest of something - and you get that just fine.
But then after that you just get 401.. Why have no idea, not sure what exactly your trying to do, other than dvr is giving you 401, and then your client gets something from the dvr. So there are 3 different conversations here all started by your client 192.168.0.3. First one he gets a manifest of something and that conversation is closed with your normal fin,ack , then he starts another conversation gets told 401, and he closes the conversation with RST, then he gets some other info profile.xml and then again he closes the conversation with RST
So that is a bad conversation, or is that a good conversation that works? Where is a good conversation where you start viewing video, since maybe that is sent in a different protocol?? Either way I wouldn't think you would want to see 401 errors.. Do you have to log in or something?? Do devices have to be authed before hand??
-
"with far more info than the pfSense packet capture provides. "
How is that exactly.. Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??
Perhaps I should clarify. In an earlier post, packet capture as used in pfSense was listed. This does not show as much detail as you'd see in Wireshark. In order to see that level of detail, you have to download the cap file and then use something like Wireshark to view it.
I use Wireshark frequently and find that between the capture and display filters, it's a lot easier to isolate what you're looking for. You can also watch in real time and click on any frame to examine it's contents while the capture continues.
Back when I was using Linux for my firewall, I had Wireshark available on it. Since moving to pfSense, I bought a managed switch, which I can insert to monitor traffic.
-
"You can also watch in real time and click on any frame to examine it's contents while the capture continues."
This is very true!! If your sniffing with wireshark off a say a spanned port then sure you can watch traffic live. This should also be possible right off pfsense just use say tcpdump sending to your wireshark running on your pc.. you could do this with a windows machine via plink.exe or via ssh if you have it installed to ssh to the pfsense box, start the tcpdump, etc.
I thought we had gone over that before, but if not can for sure post up an example of how to do it.
That might be a good thing to add to the wiki, if not already there?
-
^^^^
One issue with sending tcpdump or even Wireshark over the wire is you could be affecting the traffic you're trying to monitor. That may or may not be an problem, depending on what you're looking for. When I had a Linux firewall, I could switch my KVM to the firewall computer, start up the desktop and then Wireshark. That computer did not normally have a desktop running, an option you don't get with Windows. However, I now have a managed switch that's small enough to keep in my notebook computer bag, so it's handy when I need it. In fact, I store it in ThinkPad floppy drive case. ;) -
"you could be affecting the traffic you're trying to monitor."
How so? Just don't capture the traffic your using to make the remote connection if capturing the interface your hitting pfsense on, etc.
While I agree with you that having a small switch with the ability to span ports is a great addition to your tool bag. And with gig smart switches beings so cheap now a days its a great thing to have and affordable for even the home enthusiast helping out their buddies, etc.
In this scenario.. Doing a packet capture on pfsense or if want real time via remote, etc. I don't see what that buys us exactly. How does it answer his 401 error problem?
-
"with far more info than the pfSense packet capture provides. "
How is that exactly.. Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??
Clearly your getting a 401 error saying your NOT Authorized…
As to seeing if limiting to IP, I meant if he was limiting his sniff to a specific IP he would not see multicast traffic since it would be to the multicast address not his specific IP like 192.168.0.3 etc..
In the first part of the sniff your client ask for a manifest of something - and you get that just fine.
But then after that you just get 401.. Why have no idea, not sure what exactly your trying to do, other than dvr is giving you 401, and then your client gets something from the dvr. So there are 3 different conversations here all started by your client 192.168.0.3. First one he gets a manifest of something and that conversation is closed with your normal fin,ack , then he starts another conversation gets told 401, and he closes the conversation with RST, then he gets some other info profile.xml and then again he closes the conversation with RST
So that is a bad conversation, or is that a good conversation that works? Where is a good conversation where you start viewing video, since maybe that is sent in a different protocol?? Either way I wouldn't think you would want to see 401 errors.. Do you have to log in or something?? Do devices have to be authed before hand??
Thank you for your interest.
I will have to ask the DVR provider if its need to pre authorized the client, but I suspect that it does not.
I know that have to enter a user/pass combination to connect to the DVR. But that is entered in the client program and I know that its get accepted because if I enter a wrong one the application returns a credentials error. In the case of the packet capture I posted I used the correct user/pass. Also when I connect to the DVR using Internet Explorer I also have to enter the credentials and get accepted.
In IE there is an option to see the stream per channel in jpeg mode. When I select that option I can see each channel in a set of jpegs stream really nice.
The application is to show all channels at the same time probably in full streaming instead of jpegs. Once the credentials are accepted the application starts a loading phase which fails.
-
How so? Just don't capture the traffic your using to make the remote connection if capturing the interface your hitting pfsense on, etc.
If you're running into congestion/timing issues etc. Not common, but possible. As for your traffic, that's one more thing to filter. On my systems, I actually have a button on the display filter bar for a display filter, to not show traffic containing the MAC of the computer I'm running Wireshark on.
How does it answer his 401 error problem?
Problem? What problem??? ;)
Actually, this thread shows how traffic monitoring can be used to help identify a problem. However, that not authorized error indicates the problem is likely not in pfSense.
