Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 4 Posters 753 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfthbst
      last edited by pfthbst

      Hi,
      I have encountered that tcpdump v4.99.4 from pfSense v2.7.2 does not honour local timezone.

      I've seen this behavior discussed at
      https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273807

      FreeBSD Ports Collection already contains the patched tcpdump v4.99.4_1

      When CE users can expect the update/patch to tcpdump v4.99.4_1?
      Or how can I properly update the version myself?

      Thank you in advance!

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        The fix is in dev so it will be in the next release: https://github.com/pfsense/FreeBSD-src/commits/devel-main/contrib/tcpdump

        1 Reply Last reply Reply Quote 1
        • P
          pfthbst
          last edited by

          What is a safe method to replace tcpdump v4.99.4 with tcpdump v4.99.5

          I plan to install it from:
          https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tcpdump-4.99.5.pkg

          tcpdump v4.99.5 requires 'libsmi'
          (during installation it says: "tcpdump has a missing dependency: libsmi")

          So, I plan to install it from:
          https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/libsmi-0.4.8_2.pkg

          Is this all safe for the integrity of the pfSense?

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @pfthbst
            last edited by

            @pfthbst said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

            Is this all safe for the integrity of the pfSense?

            You tell us ^^

            The FreeBSD package for pfSense was most probably compiled without "libsmi" support.

            [24.11-RELEASE][root@pfSense.bhf.tld]/root: ldd /usr/sbin/tcpdump
            /usr/sbin/tcpdump:
                    libpcap.so.8 => /lib/libpcap.so.8 (0xc70fac64000)
                    libcasper.so.1 => /lib/libcasper.so.1 (0xc70fb94f000)
                    libcap_dns.so.2 => /lib/libcap_dns.so.2 (0xc70fd8a3000)
                    libcrypto.so.30 => /lib/libcrypto.so.30 (0xc70fe278000)
                    libc.so.7 => /lib/libc.so.7 (0xc70fee59000)
                    libibverbs.so.1 => /lib/libibverbs.so.1 (0xc7100155000)
                    libmlx5.so.1 => /lib/libmlx5.so.1 (0xc7100ffb000)
                    libnv.so.1 => /lib/libnv.so.1 (0xc7101f8b000)
                    libthr.so.3 => /lib/libthr.so.3 (0xc7102cae000)
                    libsys.so.7 => /lib/libsys.so.7 (0xc7102e6c000)
                    [vdso] (0xc70fab77000)
            

            You could install a native FreeBSD, get as close a possible at the "14.x" that pfSense uses.
            Then build your own tcpdump.

            Btw : Imho : Probably not worth just to correct a time stamp ...

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            P 1 Reply Last reply Reply Quote 1
            • P
              pfthbst @Gertjan
              last edited by

              @Gertjan

              What I did.


              $ mkdir -p /usr/temp/packages/tcpdump
              $ fetch -o /usr/temp/packages/tcpdump https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tcpdump-4.99.5.pkg
              /usr/temp/packages/tcpdump/tcpdump-4.99.5.pkg 426 kB 1955 kBps 00s


              $ pkg info -F /usr/temp/packages/tcpdump/tcpdump-4.99.5.pkg
              tcpdump-4.99.5
              Name : tcpdump
              Version : 4.99.5
              Origin : net/tcpdump
              Architecture : FreeBSD:14:amd64
              Prefix : /usr/local
              Categories : net
              Licenses : BSD3CLAUSE
              Maintainer : garga@FreeBSD.org
              WWW : https://www.tcpdump.org/
              Comment : Ubiquitous network traffic analysis tool
              Options :
              CHROOT : off
              CRYPTO : on
              SMB : on
              SMI : on
              USER : off
              Shared Libs required:
              libpcap.so.1
              libcasper.so.1
              libcap_dns.so.2
              libcrypto.so.30
              libc.so.7
              Annotations :
              build_timestamp: 2025-01-30T20:32:03+0000
              ports_top_git_hash: 182ff2d0ad
              ports_top_checkout_unclean: no
              port_git_hash : ae2a199510
              port_checkout_unclean: no
              built_by : poudriere-git-3.4.2
              cpe : cpe:2.3:a:tcpdump:tcpdump:4.99.5:::::freebsd14:x64
              FreeBSD_version: 1401000
              Flat size : 1.10MiB
              Description :
              tcpdump is a ubiquitous network traffic capture tool available in a wide
              variety of BSD, Linux and UN*X distributions.

              Whilst FreeBSD has a vendor branch import of tcpdump in its source tree,
              the purpose of the port is to provide a means of offering additional,
              bleeding-edge features which might not make it into the tree.


              $ pkg install /usr/temp/packages/tcpdump/tcpdump-4.99.5.pkg
              Updating pfSense-core repository catalogue...
              Fetching meta.conf: 0%
              Fetching packagesite.pkg: 0%
              pfSense-core repository is up to date.
              Updating pfSense repository catalogue...
              Fetching meta.conf: 0%
              Fetching packagesite.pkg: 0%
              pfSense repository is up to date.
              All repositories are up to date.
              pkg: tcpdump has a missing dependency: libsmi


              So, I installed the "libsmi" from https://pkgs.org/download/libsmi

              $ mkdir -p /usr/temp/packages/libsmi
              $ fetch -o /usr/temp/packages/libsmi https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/libsmi-0.4.8_2.pkg
              /usr/temp/packages/libsmi 2024 kB 929 kBps 02s


              $ pkg install /usr/temp/packages/libsmi/libsmi-0.4.8_2.pkg
              Updating pfSense-core repository catalogue...
              Fetching meta.conf: 0%
              Fetching packagesite.pkg: 0%
              pfSense-core repository is up to date.
              Updating pfSense repository catalogue...
              Fetching meta.conf: 0%
              Fetching packagesite.pkg: 0%
              pfSense repository is up to date.
              All repositories are up to date.
              Checking integrity... done (0 conflicting)
              The following 1 package(s) will be affected (of 0 checked):

              New packages to be INSTALLED:
              libsmi: 0.4.8_2 [unknown-repository]

              Number of packages to be installed: 1

              The process will require 16 MiB more space.

              Proceed with this action? [y/N]: y
              [1/1] Installing libsmi-0.4.8_2...
              Extracting libsmi-0.4.8_2: 100% 378 B 0.4kB/s 00:01


              Now I tried to install the tcpdump-4.99.5.pkg again:

              $ pkg install /usr/temp/packages/tcpdump/tcpdump-4.99.5.pkg
              Updating pfSense-core repository catalogue...
              Fetching meta.conf: 0%
              Fetching packagesite.pkg: 0%
              pfSense-core repository is up to date.
              Updating pfSense repository catalogue...
              Fetching meta.conf: 0%
              Fetching packagesite.pkg: 0%
              pfSense repository is up to date.
              All repositories are up to date.
              Checking integrity... done (0 conflicting)
              The following 1 package(s) will be affected (of 0 checked):

              New packages to be INSTALLED:
              tcpdump: 4.99.5 [unknown-repository]

              Number of packages to be installed: 1

              The process will require 1 MiB more space.

              Proceed with this action? [y/N]: y
              [1/1] Installing tcpdump-4.99.5...
              Extracting tcpdump-4.99.5: 100% 5 B 0.0kB/s 00:01


              As a result, a new version of tcpdump was installed in /usr/local/sbin/
              ls -l /usr/local/sbin/tcpdum*
              -r-xr-xr-x 1 root wheel 1134032 Jan 30 22:32 /usr/local/sbin/tcpdump
              -rw-r--r-- 1 root wheel 436586 Feb 14 16:26 /usr/local/sbin/tcpdump.pkgsave


              Now I have replaced the old version with the new one:
              $ cp /usr/local/sbin/tcpdump /usr/sbin/tcpdump


              Check the version of the new tcpdump:
              $ /usr/sbin/tcpdump --version
              tcpdump version 4.99.5
              libpcap version 1.10.4
              OpenSSL 3.0.12 24 Oct 2023
              64-bit build, 64-bit time_t

              $ ldd /usr/sbin/tcpdump
              /usr/sbin/tcpdump:
              libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x5da19a9a000)
              libcasper.so.1 => /lib/libcasper.so.1 (0x5da1a878000)
              libcap_dns.so.2 => /lib/libcap_dns.so.2 (0x5da1b344000)
              libcrypto.so.30 => /lib/libcrypto.so.30 (0x5da1b882000)
              libc.so.7 => /lib/libc.so.7 (0x5da1d635000)
              libibverbs.so.1 => /lib/libibverbs.so.1 (0x5da1c91e000)
              libnv.so.1 => /lib/libnv.so.1 (0x5da1de6a000)
              libthr.so.3 => /lib/libthr.so.3 (0x5da1e6ef000)
              [vdso] (0x5da18c6c620)


              The native tcpdump from pfSense 2.7.2 for comparison:

              $ /usr/sbin/tcpdump --version
              tcpdump version 4.99.4
              libpcap version 1.10.4
              OpenSSL 3.0.12 24 Oct 2023

              $ ldd /usr/sbin/tcpdump
              /usr/sbin/tcpdump:
              libpcap.so.8 => /lib/libpcap.so.8 (0x23e627f69000)
              libcasper.so.1 => /lib/libcasper.so.1 (0x23e62958a000)
              libcap_dns.so.2 => /lib/libcap_dns.so.2 (0x23e628203000)
              libcrypto.so.30 => /lib/libcrypto.so.30 (0x23e629bda000)
              libc.so.7 => /lib/libc.so.7 (0x23e62af79000)
              libibverbs.so.1 => /lib/libibverbs.so.1 (0x23e628254000)
              libmlx5.so.1 => /lib/libmlx5.so.1 (0x23e628ff5000)
              libnv.so.1 => /lib/libnv.so.1 (0x23e62baa1000)
              libthr.so.3 => /lib/libthr.so.3 (0x23e62ce00000)
              [vdso] (0x23e626e6e620)

              1 Reply Last reply Reply Quote 0
              • P
                pfthbst
                last edited by

                I now have a “good” version of the tcpdump.
                But my skills don't allow me to adequately assess the potential risks and new integrity of pfSense.

                S GertjanG 2 Replies Last reply Reply Quote 0
                • S
                  slu @pfthbst
                  last edited by

                  @pfthbst said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

                  I now have a “good” version of the tcpdump.

                  And maybe a lots of fun with the next pfSense update... 😬

                  pfSense Gold subscription

                  P 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @pfthbst
                    last edited by

                    @pfthbst

                    You took both packages from https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/... so they are most probably ok.
                    If 'libsmi ' is just a library file (like a DLL) then it exposes functionality to the OS/system and running exectubles, and the installing is just a file copied in place like /usr/local/lib/ , and doesn't make any other file changes, then you are imho ok.

                    There is just one thing to keep in mind : you use 'code' on your pfSense that hasn't been audited by Netgate. I presume that Netgate, before they adopt a new library, they use the packet source, look into it, see what it does, fork it to adapt functionality or remove (!) functionality, before they use it to build a new pfSense version.
                    That is, that is how I would do it.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      pfthbst @Gertjan
                      last edited by

                      @Gertjan said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

                      @pfthbst

                      You took both packages from https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/... so they are most probably ok.
                      If 'libsmi ' is just a library file (like a DLL) then it exposes functionality to the OS/system and running exectubles, and the installing is just a file copied in place like /usr/local/lib/ , and doesn't make any other file changes, then you are imho ok.

                      There is just one thing to keep in mind : you use 'code' on your pfSense that hasn't been audited by Netgate. I presume that Netgate, before they adopt a new library, they use the packet source, look into it, see what it does, fork it to adapt functionality or remove (!) functionality, before they use it to build a new pfSense version.
                      That is, that is how I would do it.

                      Thanks, if I understand correctly, I potentially have a less reliable and less secure firewall now.

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfthbst @slu
                        last edited by

                        @slu said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

                        @pfthbst said in tcpdump v4.99.4 from pfSense 2.7.2 does not honour local timezone:

                        I now have a “good” version of the tcpdump.

                        And maybe a lots of fun with the next pfSense update... 😬

                        Yes, I've already had a lot of fun upgrading to 2.7.2 ))

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Yeah, I would say it's unlikely you'll have any problems there because it's didn't pull in any other pkgs as dependencies. Where you usually run into issues is when a bunch of the default pfSense pkgs get replaced by newer versions from FreeBSD but they don't have any of the pfSense patches.

                          P 1 Reply Last reply Reply Quote 0
                          • P
                            pfthbst @stephenw10
                            last edited by

                            @stephenw10

                            Now I'm really calmed down, thank you!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.