Wireshark on WAN

  • I'm running pfsense on a hyper-v server. The WAN interface of pfsense is connected to a virtual switch, which is connected to a physical NIC. I'm trying to use wireshark to collect ipv6 packets on the WAN interface. I can collect ivp4 packets, but not ipv6 packets. (I've tested it on the LAN and it works fine there.)

    Wireshark is installed on a windows 10 client, which is also running on the hyper-v server. My ISP allocates an ipv4 address, but only allocates a prefix for ipv6, but not an ipv6 address. When I boot the client while it's connected to the WAN interface, it gets an ipv4 address and there is ipv4 connectivity, but no ipv6 address or ipv6 connectivity, as expected. I'm wondering if the reason is because there is no ipv6 connectivity. I've tried disabling the firewall but it makes no difference.

    Does wireshark require the pc it's running on to have an allocated ipv6 address to be able to collect ipv6 packets? If anyone has a suggestion to get this working, I'd appreciate hearing it.

  • If it is in promiscuous mode I wouldn't think an IP address would be needed.  But I'm just guessing at that.

  • Is the IPv6 stack loaded?  That would probably be necessary.  And if it is shouldn't there be a link local IPv6 address?

    This is Windows 8.1 but would expect similar for Windows 10.

    Wireless LAN adapter Wi-Fi:
       Connection-specific DNS Suffix  . : home
       Link-local IPv6 Address . . . . . : fe80::995e:ad47:dcb2:3c82%3
       IPv4 Address. . . . . . . . . . . :
       Subnet Mask . . . . . . . . . . . :
       Default Gateway . . . . . . . . . :

  • The pc has an ipv6 link-local address. I tried running it again and this time, captured icmpv6 and dhcpv6  packets. I'm not sure what I did differently, but I guess I need to RTFM about capture filters.

  • I wasn't capturing all of the expected packets. I found a feature in hyper-v to allow a port to be mirrored. I enabled that feature and now I'm able to capture the all of the traffic from the pfsense wan interface. (The interface to be monitored is set up as a mirror source. The interface used to listen is set up as a mirror destination.)

  • I find remote capturing easier than setting up mirrors and having to physically attach a capture machine etc.  Especially with VLAN's mirrors on some switches can be tricky as they may strip the tag.  Especially low end consumer class may strip the tag on the mirror for egress but not ingress or vis-versa.  Making the capture filter have to be configured for both tagged and untagged.

    Anyway I prefer remote capturing for pfSense interfaces.  Check these out if sounds like something you'd be interested in.

    Remote Packet Capture

    Using tcpdump to capture traffic remotely but save output to a local file

    Long term traffic capture with tcpdump over netcat

    And this one from Jim is pretty slick too.
    Re: Install Wireshark on 2.3.1

    What I like about my plink setup is that it uses the SSH auth key and is all automatic.
    I have a file with some pre canned commands.  Just select the one closest to what I need, modify the tcpdump capture filter and execute.

    Biggest drawback I've experienced is not being able to stop/restart a packet capture.

  • Thanks for the info. I didn't realize that was possible. For now, since I can relatively easily accomplish my objective using mirroring to another virtual host, I'll stick with it, but it's nice to know there are better solutions.

Log in to reply