Install Wireshark on 2.3.1



  • I recently installed pfsense 2.3.1 and it appears to work well.  However, I'd like to install Wireshark.  I found instructions that use the pkg_add command, but that command does not appear to be available on my system (pkg is).  I have also seen posts that indicate pkg_add won't work on recent versions of pfsense.  So, how does one install Wireshark on this version?

    tnx jk



  • pkg install
    


  • Unfortunately, that's not enough, as Wireshark is not included with pfsense.  Apparently, I have to find it somewhere and then install it.  I have lots of experience with Linux, including building from source, but none with FreeBSD.  I also get the impression many of the tools needed are not included with pfsense.



  • No it's not. You'll have to do the install yourself if that's what you want.



  • That is what I'm trying to figure out how to do.  As I mentioned, I'm quite familiar with Linux, but not FreeBSD and it appears some of the tools one might use are not included with pfsense.  That's why i'm asking for help on how to do this.  If I already knew, I wouldn't be asking.


  • Netgate

    Downloading packet captures from your firewall to view in Wireshark on your management workstation is not sufficient?



  • Some times I want to see at the firewall.  Also, some devices cannot run Wireshark.  My firewall had been running openSUSE Linux for years and it was no problem to install Wireshark & run on it.  The only reason I switched to pfsense is openSUSE doesn't yet support dhcpv6-pd, which is necessary to get an IPv6 prefix, from my ISP, on my network.

    BTW, this is the article I found to install Wireshark on an earlier version of pfsense but, as I mentioned, the instructions don't work on 2.3.1.
    https://turbofuture.com/computers/How-to-Run-Wireshark-on-pfSense-Using-X11-Forwarding-Over-SSH

    I'd like to find something similar for 2.3.1.



  • i agree with derelict on just sending the captures towards a remote client, but if you insist you could try below AT YOUR OWN RISK:

    64bit

    pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/wireshark-2.0.2.txz
    

    32bit

    pkg add http://pkg.freebsd.org/freebsd:10:x86:32/release_3/All/wireshark-2.0.2.txz
    

    i have not tried this, chances are you'll be missing dependencies that you'd need to add manually



  • Why install all that.  Can't the same thing be accomplished with an ssh tunnel and netcat or plink, or other ssh tools at the client end?

    pfSense already has tcpdump and ssh.  Nothing more should be needed on the pfSense end.

    All that really should be needed is to establish an ssh tunnel, run a remote tcpdump command and pipe it to wireshark or whatever tool is being used on the client.

    Remote Packet Capture
    https://forum.pfsense.org/index.php?topic=89917.msg497700

    Long term traffic capture with tcpdump over netcat
    https://forum.pfsense.org/index.php?topic=108668.msg607063#msg607063



  • I have found this site that contains both wireshark and xauth.  Hopefully they'll do the trick.  They so seem a bit old though.

    http://ftpmirror.your.org/pub/FreeBSD-Unofficial-Packages/100amd64-default/All/



  • i have not tried this, chances are you'll be missing dependencies that you'd need to add manually

    I found one already for xauth, gdk-pixbuf2.


  • Rebel Alliance Developer Netgate

    Do not install wireshark (or anything that needs/wants X11) anywhere near a firewall. Horrible idea.

    You can pipe tcpdump data to wireshark over SSH, which is much better than attempting to put X11 binaries on the firewall. IIRC you could maybe use tshark to do similar (or more) things, like shown on https://www.howtoforge.com/wireshark-remote-capturing or with something like:

    # wireshark -k -i <(ssh root@192.168.1.1 tcpdump -i  igb1 -U -w - not tcp port 22)
    

    You'll need ssh setup to use key-based auth so you don't get a password prompt, and ssh-agent so you don't get an interactive prompt for the key.



  • Yes, what jimp said. The dependencies required to get Wireshark running are absurdly long and you'll almost certainly break something. tcpdump is there, and all you need on that system.


  • Banned

    Good time to share this absolutely cool post by Grünsfröschli:

    https://forum.pfsense.org/index.php?topic=107605.0

    :-D