TCPDump. How to create .pcap file with captured traffic?
-
Hi all,
I need create a .pcap file in my pfSense with the captured traffic from pfSense itself.
I execute this command to do that, the pfSense give me a error message:
tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
Can you tell me what I am doing wrong?
Regards
-
it is working fine for me, what error do you have?
-
Just so you know you can just download the captures you do with the gui as well..
But to your specific question - what error?
I just run your exact command (other than changing to one of my nics igb0) and ran fine
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: tcpdump -i igb0 -vv ether host fa:ba:da:00:00:14 -w test.pcap tcpdump: listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C0 packets captured 53 packets received by filter 0 packets dropped by kernel [2.4.4-RELEASE][admin@sg4860.local.lan]/root: -
Sorry, I thinked that I had putt the error message.
It's this message:
[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14 -w test.pcap
tcpdump: syntax error
[2.3-RELEASE][admin@pfsense]/root:If I execute that line in Ubuntu, It's works well.
If I execute this line in the pfSense, It's works well:
[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
204503 packets received by filter
0 packets dropped by kernel
[2.3-RELEASE][admin@pfsense]/root:Regards
-
this is not what you wrote on the first post,
right:
tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
wrong:
tcpdump -i em1 -vv ether host host fa:ba:da:00:00:14
also "-w test.cap" missing -
@kiokoman sorry,
It's a Copy / Paste error.
The correct command and the error are these:
[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
tcpdump: syntax error
[2.3-RELEASE][admin@pfsense]/root:Regards
-
dude your on pfsense 2.3 -- wow that is OLD and EOL.. you need to update to current
-
@johnpoz, yes, I know that pfSense 2.3 is very old and EOL, but it's an inherited installation.
I'm trying to clean the residual settings first and to upgrade to the latest version later, first to the 2.4 and to the 2.5 version later.
Regards
-
have no idea what version of tcpdump is installed on the 2.3 version - you will have to check your syntax for whatever version that is.
here is what is on current 2.4.4p3
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: tcpdump --version tcpdump version 4.9.2 libpcap version 1.8.1 OpenSSL 1.0.2o-freebsd 27 Mar 2018 [2.4.4-RELEASE][admin@sg4860.local.lan]/root: -
Well, the TCPDump versión is:
[2.3-RELEASE][admin@pfsense]/root: tcpdump --version tcpdump: illegal option -- - tcpdump version 4.4.0 libpcap version 1.4.0 Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ] [2.3-RELEASE][admin@pfsense]/root:Not has the "--version" option but shows the version.
On the other hand, I have already found the problem with the error of TCPDump when I try create a file with the "-w" options.
If I put:
tcpdump -i em1 -vv -w test.pcap ether host fa:ba:da:00:00:14
Instead of:
tcpdump -i em1 -vv ether host fa:ba:da:00:00:14 -w test.pcap
It works well.
[2.3-RELEASE][admin@pfsense]/root: tcpdump -i em1 -vv -w test.pcap ether host fa:ba:da:00:00:14 tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes Got 0 ^C0 packets captured 485686 packets received by filter 0 packets dropped by kernel [2.3-RELEASE][admin@pfsense]/root:Regards and thanks so much.
-
You need to UPDATE... 2.3 is EOL...
-
@johnpoz said in TCPDump. How to create .pcap file with captured traffic?:
You need to UPDATE... 2.3 is EOL...
@johnpoz, yes, I know that pfSense 2.3 is very old and EOL, but it's an inherited installation.
I'm trying to clean the residual settings first and to upgrade to the latest version later, first to the 2.4 and to the 2.5 version later.
Regards
-
Yeah I saw - just reminding you ;) heheheh
