TCPDump. How to create .pcap file with captured traffic?



  • Hi all,

    I need create a .pcap file in my pfSense with the captured traffic from pfSense itself.

    I execute this command to do that, the pfSense give me a error message:

    tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap

    Can you tell me what I am doing wrong?

    Regards


  • LAYER 8

    it is working fine for me, what error do you have?


  • LAYER 8 Global Moderator

    Just so you know you can just download the captures you do with the gui as well..

    But to your specific question - what error?

    I just run your exact command (other than changing to one of my nics igb0) and ran fine

    [2.4.4-RELEASE][admin@sg4860.local.lan]/root: tcpdump -i igb0 -vv ether host fa:ba:da:00:00:14 -w test.pcap   
    tcpdump: listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
    ^C0 packets captured
    53 packets received by filter
    0 packets dropped by kernel
    [2.4.4-RELEASE][admin@sg4860.local.lan]/root: 
    


  • Sorry, I thinked that I had putt the error message.

    It's this message:

    [2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14 -w test.pcap
    tcpdump: syntax error
    [2.3-RELEASE][admin@pfsense]/root:

    If I execute that line in Ubuntu, It's works well.

    If I execute this line in the pfSense, It's works well:

    [2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14
    tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
    ^C
    0 packets captured
    204503 packets received by filter
    0 packets dropped by kernel
    [2.3-RELEASE][admin@pfsense]/root:

    Regards


  • LAYER 8

    this is not what you wrote on the first post,
    right:
    tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
    wrong:
    tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14
    also "-w test.cap" missing



  • @kiokoman sorry,

    It's a Copy / Paste error.

    The correct command and the error are these:

    [2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
    tcpdump: syntax error
    [2.3-RELEASE][admin@pfsense]/root:

    Regards


  • LAYER 8 Global Moderator

    dude your on pfsense 2.3 -- wow that is OLD and EOL.. you need to update to current



  • @johnpoz, yes, I know that pfSense 2.3 is very old and EOL, but it's an inherited installation.

    I'm trying to clean the residual settings first and to upgrade to the latest version later, first to the 2.4 and to the 2.5 version later.

    Regards


  • LAYER 8 Global Moderator

    have no idea what version of tcpdump is installed on the 2.3 version - you will have to check your syntax for whatever version that is.

    here is what is on current 2.4.4p3

    [2.4.4-RELEASE][admin@sg4860.local.lan]/root: tcpdump --version
    tcpdump version 4.9.2
    libpcap version 1.8.1
    OpenSSL 1.0.2o-freebsd  27 Mar 2018
    [2.4.4-RELEASE][admin@sg4860.local.lan]/root: 
    


  • Well, the TCPDump versión is:

    [2.3-RELEASE][admin@pfsense]/root: tcpdump --version
    tcpdump: illegal option -- -
    tcpdump version 4.4.0
    libpcap version 1.4.0
    Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
    		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
    		[ -i interface ] [ -j tstamptype ] [ -M secret ]
    		[ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ]
    		[ -W filecount ] [ -y datalinktype ] [ -z command ]
    		[ -Z user ] [ expression ]
    [2.3-RELEASE][admin@pfsense]/root:
    

    Not has the "--version" option but shows the version.

    On the other hand, I have already found the problem with the error of TCPDump when I try create a file with the "-w" options.

    If I put:

    tcpdump -i em1 -vv -w test.pcap ether host fa:ba:da:00:00:14

    Instead of:

    tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap

    It works well.

    [2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv -w test.pcap ether host fa:ba:da:00:00:14
    tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
    Got 0
    ^C0 packets captured
    485686 packets received by filter
    0 packets dropped by kernel
    [2.3-RELEASE][admin@pfsense]/root:
    

    Regards and thanks so much.


  • LAYER 8 Global Moderator

    You need to UPDATE... 2.3 is EOL...



  • @johnpoz said in TCPDump. How to create .pcap file with captured traffic?:

    You need to UPDATE... 2.3 is EOL...

    @johnpoz, yes, I know that pfSense 2.3 is very old and EOL, but it's an inherited installation.

    I'm trying to clean the residual settings first and to upgrade to the latest version later, first to the 2.4 and to the 2.5 version later.

    Regards


  • LAYER 8 Global Moderator

    Yeah I saw - just reminding you ;) heheheh


Log in to reply