• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Tcpdump to Wireshark – Interface name not displayed.

Scheduled Pinned Locked Moved General pfSense Questions
7 Posts 4 Posters 168 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    BrucexLing
    last edited by BrucexLing 19 days ago 19 days ago

    I am trying to analyse packets on two or more interfaces simultaneously. It appears to me that tcpdump is a good tool to use for this purpose. After SSHing into my pfSense 2.7.2 I have successfully created a pcap file using tcpdump that opens fine in Wireshark. My problem is that I cannot get an Interface label to display in Wireshark. I have created a custom column and linked it to frame.interface_id but unfortunately the column is blank. I don’t particularly mind what id format gets displayed as long as it allows me to distinguish between interfaces. It will be great if someone can suggest the way ahead.

    I have just now opened a pcap created with pfSense Packet Capture and the blank column result is the same.

    P 1 Reply Last reply 19 days ago Reply Quote 0
    • P
      patient0 @BrucexLing
      last edited by 19 days ago

      @BrucexLing when using tcpdump you capture traffic on one interface. And with that the interface used is already clear (and it is not saved).

      Or: how do you run tcpdump?

      1 Reply Last reply Reply Quote 0
      • B
        BrucexLing
        last edited by 19 days ago

        I thought I saw somewhere you could include something like "-i igb2 -i ovpnc1" in the tcpdump command line to listen on 2 interfaces. If I can't do that I'll need to rethink things.

        D 1 Reply Last reply 19 days ago Reply Quote 0
        • D
          dennypage @BrucexLing
          last edited by dennypage 18 days ago 19 days ago

          @BrucexLing said in Tcpdump to Wireshark – Interface name not displayed.:

          I thought I saw somewhere you could include something like "-i igb2 -i ovpnc1" in the tcpdump command line to listen on 2 interfaces.

          Subsequent use of -i overrides any prior use of -i. In other words, tcpdump will only use the last interface specified on the command line. So in the example you used, you will only capture packets from interface ovpnc1.

          On some systems tcpdump can collect packets from all interfaces using a special interface named any, but pfSense/FreeBSD isn't one of them.

          1 Reply Last reply Reply Quote 0
          • B
            BrucexLing
            last edited by 19 days ago

            Thank you guys for putting me straight on this one. I’ll now progress to merging capture files. That did seem quite daunting initially, but I am now looking forward to giving it a go. Would I be right in thinking that the merging process will somehow tag the interfaces so they can be distinguished in the final Wireshark result?

            J 1 Reply Last reply 19 days ago Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @BrucexLing
              last edited by johnpoz 18 days ago 19 days ago

              @BrucexLing said in Tcpdump to Wireshark – Interface name not displayed.:

              merging process will somehow tag the interfaces so they can be distinguished in the final Wireshark result?

              I don't think it would do that. wireshark doesn't have any idea about which interface it was captured on.

              But you would be able to tell which interface by the mac address in the capture. If you're your trying to capture an in out sort of deal.

              You might be able to add a label to all the packets in the first one, then add the 2nd capture.

              edit: here quick example.. I captured on my lan interface igb0, and interface igb2 - I then pinged from box on ig0 (192.168.9.100) to box on igb2 network (192.168.2.13)

              I loaded the first pcap - then added a comment (which you can view in your columns by adding frame.comment). I then merged the igb2 pcap.

              As you can see the ones captured on igb0 are marked with a comment, and ones on igb2 not.

              capture.jpg

              But notice I can tell which interfaces on pfsense were used by the mac address. Packet 1 there is destination to my igb0 on e6:24, and the one outbound from igb2 interface (packet 2) is source of e6:20 (pfsense igb2 interface)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • B
                BrucexLing
                last edited by BrucexLing 18 days ago 18 days ago

                Many thanks John. In my situation I have one physical interface and one vpn. What I have found is that after a merge of two pcapngs that the term frame.interface_id is either 0 or 1 depending on whether frame is for physical or vpn respectively.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received