Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intel 10GB NIC tcpdump

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 727 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michaelschefczyk
      last edited by

      Dear All,

      Please let me know if it is possible to use tcpdump with Intel 10GB ethernet NICs under 2.4.4-RELEASE-p2 (amd64) as it used to be possible with 1GB cards.

      I have one security sensitive VLAN with little traffic, where I would like to trace packets. For a long time, I used shellcmd

      tcpdump -pni lagg0.7 -s40 -G3600 -z gzip -w /tcpdump/captureVlan7-%F--%H-%M-%S.pcap

      Now, I have upgraded all LAN connections to 10GB Ethernet in two variants. Most servers are C3858. Their onboard NICs are:

      "Ethernet Connection X553/X557-AT 10GBASE-T"

      One remaining server is C2757 with an addon card:

      "Ethernet Controller 10G X550T"

      Since upgrading to 10GB, booting does not go beyond the shellcmd. The console does not end with the usual welcome greeting listing networks and options. I is rather stuck at:

      tcpdump: listening on lagg0.7, link-type EN10MB (Ethernet), capture size 40 bytes

      Without success, I did try all tuning and troubleshooting steps listed for ix cards under https://www.netgate.com/docs/pfsense/hardware/tuning-and-troubleshooting-network-cards.html?highlight=ixgbe

      Regards,

      Michael

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        There is no difference as far as I'm aware. I've run packet captures on 10G NICs hundreds of times.

        You are starting a tcpdump from a shellcmd?

        What command are you using exactly? Why are you doing that?

        Does it continue to boot once the dump is complete?

        Steve

        1 Reply Last reply Reply Quote 0
        • M
          michaelschefczyk
          last edited by

          Dear Steve,

          The method is "shellcmd" from the shellcmd package. The command I was used to use is:

          tcpdump -pni lagg0.7 -s40 -G3600 -z gzip -w /tcpdump/captureVlan7-%F--%H-%M-%S.pcap

          As far as I understand, the command runs indefinitely creating new files after 3600 seconds (option -G3600).

          I am doing this because I suspect an increased risk of fetching a trojan in that subnet. For that case, I would like to retain the first bytes of packets.

          Booting used to continue after kicking of the tcpdump process. Currently, the last entry on the command line is

          tcpdump: listening on lagg0.7, link-type EN10MB (Ethernet), capture size 40 bytes

          Further start actions are not executed, i.e, many services will not start automatically.

          Regards,

          Michael

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Hmm, so the command remained the same? Just the interfaces in lagg0 that changed?

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.