[SOLVED] Wireshark Packet Capture not working on Linux | Ubuntu | PopOs

manjotsc · Feb 7, 2020, 4:44 AM

stephenw10 · Feb 3, 2020, 12:52 PM

More info needed!

pfSense version? OS you're connecting from? Wireshark version?

Steve

NogBadTheBad · Feb 3, 2020, 2:36 PM

I tend to run this 172.16.2.20 is the device I'm saving the capture file to:-

andy@mac-pro ~ % ssh root@172.16.0.1 'tcpdump -i igb0 src not 172.16.2.20 and dst not 172.16.2.20 -w -' > ~/172.16.0.1.cap
Password for root@pfsense:
tcpdump: listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C% andy@mac-pro ~ %

Then look at the capture after.

manjotsc · Feb 3, 2020, 9:25 PM

pfSense version = 2.4.4-RELEASE-p3
OS you're connecting from = PopOS
Wireshark version = Version 3.0.5 (Git v3.0.5 packaged as 3.0.5-1)

jimp · Feb 3, 2020, 9:27 PM

The syntax from the docs still works, I tried it today. A few things to watch out for: It assumes your shell is bash, that you have SSH keys and ssh-agent setup, that you are connecting to the firewall using the root account (e.g. root@192.168.1.1), and that wireshark is properly setup on your workstation. That likely includes making sure your user is a member of the wireshark group.

Do not run ssh or wireshark with sudo on your workstation.

manjotsc · Feb 3, 2020, 9:31 PM

@jimp How do I check if my shell is bash or not? I am new to Linux.

JKnott · Feb 3, 2020, 9:33 PM

@manjotsc said in Wireshark Packet Capture not working:

@jimp How do I check if my shell is bash or not? I am new to Linux.

It's normally bash by default. So, unless you changed it, it's bash.

manjotsc · Feb 3, 2020, 9:50 PM

@jimp Working I just changed admin@192.168.40.1 to root@192.168.40.1 , removed sudo and it worked.

Thanks,