Possible to traffic capture on the WAN port?



  • The pfSense router seems to have having problems talking over the modem to the internet. My modem, and my ISP, confirm that i have sync, but at the same time pfSense sometimes just will not connect (using PPPoE).

    i want to try to debug the problem, by watching the PPPoE connection trying to get built-up, which typically is of the form:

    pfSense broadcasts a PPPoE Active Discovery Initiation (PADI) packet out to my ISP:

        DESTINATION_ADDR: ffffffffffff  (broadcast mac address)
        SOURCE_ADDR: 0001023d7185  (pfSense WAN adapter mac address)
        ETHER_TYPE: 8863  (PPPoE Discovery stage)
        PAYLOAD: 11090000
           1 (Version always 0x1)
           1 (Type always 0x1)
           09 (Code: 0x09 = PADI)
           0000 (Session ID: 0x0000)
    

    The ISP then responds with a PPPoE Active Discovery Offer (PADO) packet:

    
           DESTINATION_ADDR: 0001023d7185 (pfSense WAN adapter mac address)
           SOURCE_ADDR: 000e407bf38a          (ISP's PPPoE server mac address)
           ETHER_TYPE: 8863                          (PPPoE Discovery stage)
           PAYLOAD: 11070000
                1 (Version always 0x1)
                1 (Type always 0x1)
                07 (Code: 0x07 = PADO)
                0000 (Session ID: 0x0000)
    

    pfSense then requests to start a PPPoE session with the guy who responded to its broadcast by sending a PPPoE Active Discovery Request (PADR) packet to them:

    
           DESTINATION_ADDR: 000e407bf38a   (ISP's PPPoE server mac address)
           SOURCE_ADDR: 0001023d7185          (pfSense WAN adapter mac address)
           ETHER_TYPE: 8863                           (PPPoE Discovery stage)
           PAYLOAD: 11190000
                1 (Version always 0x1)
                1 (Type always 0x1)
                19 (Code: 0x19 = PADR)
                0000 (Session ID: 0x0000)
    

    My ISP then responds with a session ID in a The PPPoE Active Discovery Session-confirmation (PADS) packet:

    
           DESTINATION_ADDR: 0001023d7185   (pfSense WAN adapter mac address)
           SOURCE_ADDR: 000e407bf38a            (ISP's PPPoE server mac address)
           ETHER_TYPE: 8863                             (PPPoE Discovery stage)
           PAYLOAD: 11651234
               1 (Version always 0x1)
               1 (Type always 0x1)
               65 (Code: 0x65 = PADS)
               1234 (Session ID: 0x1234)
    

    …and on it goes.

    i want to monitor the PPPoE session creation. i want to see if/when pfSense is broadcasting a PADI initiation packet. i want to see if my ISP isn't responding. i want to capture the packets on the WAN interface.

    Those of you who are sharp will realize the problem. i want to capture packets on the actual WAN interface of the computer, not the internet "WAN" interface, which is not up yet. It's not up yet because the PPPoE connection isn't up yet.

    i want to capture packets on the wire, not packets going out the PPPoE virtual connection.

    Is it possible to capture packets on the WAN port, with PPPoE as the method for connecting to the internet, with pfSense?



  • @JackTripper:

    Those of you who are sharp will realize the problem.

    I guess I'm not too sharp  :)  I can't see the problem.

    PPPoE suggests ethernet. There must be an associated physical Ethernet (or VLAN) interface, say vr2. Packet capture on vr2.



  • You can use tcpdump on the physical interface which will grab the information you need.  If you want, you can easily capture this data in binary format and then feed it to an instance of Wireshark running on a separate machine for extra prettiness.


Log in to reply