Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Packet Capture

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 858 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      deanfourie
      last edited by

      Hey is anyone able to take a look through some captures with me?

      Thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10S Online
        stephenw10 Netgate Administrator
        last edited by

        Going to need more info. 😉

        What are the captures of? What ware you looking for in them?

        Steve

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          deanfourie @stephenw10
          last edited by

          @stephenw10 would just be great to go over some, also for education so I can learn how to really deep dive into packet analysis, like reading payloads etc.

          Can't actually find any solid videos online

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @deanfourie
            last edited by JKnott

            @deanfourie

            Use Wireshark to examine the captures. Go through them, comparing what you see with what you know or can look up. Until you have a specific issue, it's hard to tell you what to do.

            BTW, there are some Wireshark videos on YouTube.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            D 1 Reply Last reply Reply Quote 0
            • D Offline
              deanfourie @JKnott
              last edited by

              @jknott Yea im just looking to try to identify things like what is NATted traffic vs what is not NATted traffic. What is traffic that is actually traffic, like having a heavy or no payload etc.

              I cant find any videos that go over this sort of depth. Only things like source and destination addresses etc.

              Thanks

              JKnottJ 2 Replies Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @deanfourie
                last edited by

                @deanfourie

                I don't think you'll learn that from packet captures. You have to understand what you're looking at. For example, other than address & port, there's no difference with NAT. What do you mean by "heavy" payload? If large transfer, then you're looking at how many packets, etc.. What you're looking at with packet captures is largely just the contents. You can check addresses and port numbers, see what the contents are, etc., but that requires understanding what the various things are, which means you need an understanding of things like IP, TCP, UDP, etc.. When you use Wireshark, you can expand the frames to understand what they are.

                For example, here I told Wireshark to filter on ICMP6:

                21c4ec9c-de6a-45eb-881d-527c4397487b-image.png

                I then expanded one frame to show it's contents:

                cefafe96-118b-4bc6-bfa2-f087dec11957-image.png

                By going through this, I can see what the frame contains, what it's doing and more. However, I still need an understanding of what I'm looking at. On one occasion, I had a problem with IPv6. By examining the DHCPv6 packets, I was able to identify the problem as coming from my ISP and was even able to identify, by host name, the failing piece of equipment at my ISP. However, I would not have been able to do that without a good background on TCP/IP networking.

                To actually capture packets, you can use Wireshark or Packet Capture, which is included with pfsense. I have used both many, many times. Those videos may show you how to capture frames on your network, but you still have to understand what you're looking at, to make use of it. For example, you were asking about NAT. There is nothing in a frame that say NAT is involved. By comparing packets from either side of NAT you will see the addresses and port numbers have changed, but nothing else different that's relevant.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @deanfourie
                  last edited by

                  @deanfourie

                  Here's a good reference for TCP/IP:

                  TCP/IP Tutorial and Technical Overview

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.