TCPDump. How to create .pcap file with captured traffic?

ramses.sevilla

Sorry, I thinked that I had putt the error message.

It's this message:

[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14 -w test.pcap
tcpdump: syntax error
[2.3-RELEASE][admin@pfsense]/root:

If I execute that line in Ubuntu, It's works well.

If I execute this line in the pfSense, It's works well:

[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
204503 packets received by filter
0 packets dropped by kernel
[2.3-RELEASE][admin@pfsense]/root:

Regards

kiokoman

this is not what you wrote on the first post,
right:
tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
wrong:
tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14
also "-w test.cap" missing

ramses.sevilla

@kiokoman sorry,

It's a Copy / Paste error.

The correct command and the error are these:

[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
tcpdump: syntax error
[2.3-RELEASE][admin@pfsense]/root:

Regards

johnpoz

dude your on pfsense 2.3 -- wow that is OLD and EOL.. you need to update to current

ramses.sevilla

@johnpoz, yes, I know that pfSense 2.3 is very old and EOL, but it's an inherited installation.

I'm trying to clean the residual settings first and to upgrade to the latest version later, first to the 2.4 and to the 2.5 version later.

Regards

johnpoz

have no idea what version of tcpdump is installed on the 2.3 version - you will have to check your syntax for whatever version that is.

here is what is on current 2.4.4p3

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: tcpdump --version
tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.0.2o-freebsd  27 Mar 2018
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: 

ramses.sevilla

Well, the TCPDump versión is:

[2.3-RELEASE][admin@pfsense]/root: tcpdump --version
tcpdump: illegal option -- -
tcpdump version 4.4.0
libpcap version 1.4.0
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ]
		[ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ]
		[ -W filecount ] [ -y datalinktype ] [ -z command ]
		[ -Z user ] [ expression ]
[2.3-RELEASE][admin@pfsense]/root:

Not has the "--version" option but shows the version.

On the other hand, I have already found the problem with the error of TCPDump when I try create a file with the "-w" options.

If I put:

tcpdump -i em1 -vv -w test.pcap ether host fa:ba:da:00:00:14

Instead of:

tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap

It works well.

[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv -w test.pcap ether host fa:ba:da:00:00:14
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Got 0
^C0 packets captured
485686 packets received by filter
0 packets dropped by kernel
[2.3-RELEASE][admin@pfsense]/root:

Regards and thanks so much.

johnpoz

You need to UPDATE... 2.3 is EOL...

ramses.sevilla

@johnpoz said in TCPDump. How to create .pcap file with captured traffic?:

You need to UPDATE... 2.3 is EOL...

@johnpoz, yes, I know that pfSense 2.3 is very old and EOL, but it's an inherited installation.

I'm trying to clean the residual settings first and to upgrade to the latest version later, first to the 2.4 and to the 2.5 version later.

Regards

johnpoz

Yeah I saw - just reminding you ;) heheheh