Bridging and using wireshark, howto or alternative



  • Hi all,

    I'm using pfSense Embedded 1.2 release on WRAP. My ultimate goal is to log traffic in our network on a per IP basis. I basically want to know the amount of bandwith everyone uses.

    I already know it would be possible with some packages, but since I run embedded, that's not an option. So my next solution is running Wireshark on a laptop and let it trace continuously. Our network looks like this:

    WAN –-> VDSL modem/router (in bridge mode) ---> pfSense on WRAP (WAN interface) ---> pfSense LAN interface ---> multiple switches (single /24 subnet)

    Logging with Wireshark would be easy when plugging in a dumb hub at the pfSense LAN interface. However, i cannot find any dumb hub on the market these days (new or second hand). Also a managed switch with port mirroring is out of reach (financially)

    Next option that i tried, was bridging the OPT1 interface with LAN, setting up 2 rules allowing traffic between LAN and OPT1 interfaces. This way, the laptop receives DHCP IP on the OPT1 interface from the LAN DHCP server. I see some traffic on the OPT1 interface, but only traffic to and from the laptop plus some broadcasts. Therefore, i think that this will not work, since pfSense's bridging acts as a switch and i don't see all LAN traffic.

    Does anyone know a solution for reaching my goal by configuring pfSense to see all traffic on OPT1 or with some completely different method?

    Thanks in advance to anyone reading.

    Cheers, Marc


  • Rebel Alliance Developer Netgate

    If you upgrade to 1.2.3-RELEASE on the WRAP, you can use packages, though 1.2.3 takes some fiddling to make it work on WRAP (See http://doc.pfsense.org/index.php/NanoBSD_on_WRAP )

    I'm not sure which if any of the bandwidth monitoring packages would be suitable to run on a WRAP though. I think pfflowd would be the most likely choice as it just relays info to a netflow collector you run on another system.

    If you want to remotely monitor via wireshark, I describe a technique in the book (pg. 472) that works to run a remote realtime capture over ssh from a FreeBSD/Linux/Mac workstation running wireshark that will collect the traffic live directly from the firewall.



  • Many thanks for indicating both options. I'll have to do some more reading now.



  • @jimp:

    to remotely monitor via wireshark, I describe a technique in the book (pg. 472) that works to run a remote realtime capture

    Wow! It's beautiful! What a pitty that here is only this "book" and absolutely nothing like a good old manpages!

    Pls describe (just in common words, without detailed shell commands) this magic technique here too?


  • Rebel Alliance Developer Netgate

    Nothing magical about it, I just wrote out details there, specific to pfSense.

    It's covered in the Wireshark FAQ, actually: http://wiki.wireshark.org/CaptureSetup/Pipes#head-c2e8e0406864a26e2cee4fdb325f0ed832d684c6 - a well-formed Google search would have turned it up.

    Basically it's grabbing the data through a remote ssh session.



  • Thnx. Unfortunately it's standard but too complex (especially for monitoring from Windows).

    Is there any way to use "more normal" methods like Tazmen Sniffer Protocol (aka tzsp)?


  • Rebel Alliance Developer Netgate

    As far as I'm aware, there is no support for tzsp. The only remote packet monitoring I've ever seen work is the wireshark method I was talking about. And you're right, it is not Windows-friendly. It works fine on Ubuntu, FreeBSD, even OS X.

    These days it's pretty easy to slap a virtualbox VM with ubuntu on any OS for doing this kind of thing.



  • @VitRom:

    Wow! It's beautiful! What a pitty that here is only this "book" and absolutely nothing like a good old manpages!

    Pls describe (just in common words, without detailed shell commands) this magic technique here too?

    These types of responses really pain me.   How much money have you saved by using pfSense and you cannot afford to purchase the book and help out the project?

    Sad.



  • @sullrich:

    These types of responses really pain me.

    Sure! ;) @sullrich:

    How much money have you saved by using pfSense

    You'll not believe – nothing (zero, nada). @sullrich:

    and you cannot afford to purchase the book

    Absolutely! Just because

    1. a summ of book and delivery prices is about to a 1/5 of my monthly income from a place where I currently tests a pfSense and
    2. I din't like books when a ten or twenty of manpages are enough (and that's a well-known "good form" in an OSS world when a books exists simultaneously to a "base" documentation)

Locked