TCPDump. How to create .pcap file with captured traffic?

ramses.sevilla

Hi all,

I need create a .pcap file in my pfSense with the captured traffic from pfSense itself.

I execute this command to do that, the pfSense give me a error message:

tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap

Can you tell me what I am doing wrong?

Regards

kiokoman

it is working fine for me, what error do you have?

johnpoz

Just so you know you can just download the captures you do with the gui as well..

But to your specific question - what error?

I just run your exact command (other than changing to one of my nics igb0) and ran fine

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: tcpdump -i igb0 -vv ether host fa:ba:da:00:00:14 -w test.pcap   
tcpdump: listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C0 packets captured
53 packets received by filter
0 packets dropped by kernel
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: 

ramses.sevilla

Sorry, I thinked that I had putt the error message.

It's this message:

[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14 -w test.pcap
tcpdump: syntax error
[2.3-RELEASE][admin@pfsense]/root:

If I execute that line in Ubuntu, It's works well.

If I execute this line in the pfSense, It's works well:

[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
204503 packets received by filter
0 packets dropped by kernel
[2.3-RELEASE][admin@pfsense]/root:

Regards

kiokoman

this is not what you wrote on the first post,
right:
tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
wrong:
tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14
also "-w test.cap" missing

ramses.sevilla

@kiokoman sorry,

It's a Copy / Paste error.

The correct command and the error are these:

[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
tcpdump: syntax error
[2.3-RELEASE][admin@pfsense]/root:

Regards

johnpoz

dude your on pfsense 2.3 -- wow that is OLD and EOL.. you need to update to current

ramses.sevilla

@johnpoz, yes, I know that pfSense 2.3 is very old and EOL, but it's an inherited installation.

I'm trying to clean the residual settings first and to upgrade to the latest version later, first to the 2.4 and to the 2.5 version later.

Regards

johnpoz

have no idea what version of tcpdump is installed on the 2.3 version - you will have to check your syntax for whatever version that is.

here is what is on current 2.4.4p3

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: tcpdump --version
tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.0.2o-freebsd  27 Mar 2018
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: 

ramses.sevilla

Well, the TCPDump versión is:

[2.3-RELEASE][admin@pfsense]/root: tcpdump --version
tcpdump: illegal option -- -
tcpdump version 4.4.0
libpcap version 1.4.0
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ]
		[ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ]
		[ -W filecount ] [ -y datalinktype ] [ -z command ]
		[ -Z user ] [ expression ]
[2.3-RELEASE][admin@pfsense]/root:

Not has the "--version" option but shows the version.

On the other hand, I have already found the problem with the error of TCPDump when I try create a file with the "-w" options.

If I put:

tcpdump -i em1 -vv -w test.pcap ether host fa:ba:da:00:00:14

Instead of:

tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap

It works well.

[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv -w test.pcap ether host fa:ba:da:00:00:14
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Got 0
^C0 packets captured
485686 packets received by filter
0 packets dropped by kernel
[2.3-RELEASE][admin@pfsense]/root:

Regards and thanks so much.

johnpoz

You need to UPDATE... 2.3 is EOL...

ramses.sevilla

@johnpoz said in TCPDump. How to create .pcap file with captured traffic?:

You need to UPDATE... 2.3 is EOL...

@johnpoz, yes, I know that pfSense 2.3 is very old and EOL, but it's an inherited installation.

I'm trying to clean the residual settings first and to upgrade to the latest version later, first to the 2.4 and to the 2.5 version later.

Regards

johnpoz

Yeah I saw - just reminding you ;) heheheh