Logs



  • I'm going to have our pbx vendor look into a strange problem I'm having with one of the phones. Is there anywhere else that I should look for log info besides Status> System Logs

    Trying to identify a problem we're having with one phone on our network.

    2.0.1-RELEASE (i386)
    built on Mon Dec 12 17:53:52 EST 2011
    FreeBSD 8.1-RELEASE-p6

    Thanks



  • Packet capture the traffic with a filter string and compare traffic from non-working phone vs working phone? System Logs is a good starting point, but depending on the details of your box the other application specific log areas will probably be more descriptive and useful than just the general catch all.

    Also using the shell to ssh into the box and re-searching some freeBSD advanced logging techniques or system tunables may be helpful if you suspect an OS level problem.



  • Hi, thanks.
    Diagnostics>Packet Capture looks like it would probably exactly what I need. I completely didn't notice that.

    I have a question though concerning the size of this file. I'm going to need to capture 8 hours (or while I'm in the office) because the issue I'm troubleshooting cannot be reproduced intentionally. What happens to the pcap after you download, is it deleted or is it going to be stored on the HD somewhere?

    While capture is running, do I need to leave the browser tab open or can I close it can come back later?

    If they are stored, how would I go about locating them and deleting them?

    Is there a way to run a capture that only records in 20 minute intervals but only keep 5 pcaps at a time??

    For example, with wireshark on windows, I can do something like this:
    dumpcap -ni 1 -w e:\pcaps\some_log_files.pcap -b duration:1200 -b files:5

    [edit]

    I just noticed the "Count" field. If I set this to something like 250000 would that basically be like retaining only the most recent 250k captures, or does that mean stop logging after 250k is reached?



  • While capture is running, do I need to leave the browser tab open or can I close it can come back later?

    Pretty sure it would end when your browser session does. Not real sure. But if you ssh in and run a tcpdump command, like say

    tcpdump -n -i <interface>-W /path/to/somefile.pcap</interface> 
    

    That will run until you kill it. You can also download that via the web interface (diagnostics->command prompt) or over via scp.  And you can examine the .pcap file at your leisure.

    If they are stored, how would I go about locating them and deleting them?

    Diagnostics->Command prompt. SSH shell is much easier for this.

    Is there a way to run a capture that only records in 20 minute intervals but only keep 5 pcaps at a time??

    Sounds like a job for cron and scripts. I wouldn't try and use anything on the gui web interface for that. 20 minutes interval cron jobs running a script that makes sure you only have 5 .pcap files, and then tcpdumps a new one. I don't know of anything analogous to that wireshark command that's a stock utility.

    It sounds like you are just worried about storage. pfSense does a have way to integrate remote storage for logs. Not sure if that extends to packet capture. If you can make a firewall rule that matches a filter string and log it to remote storage, then you'd be doing the same thing.

    I just noticed the "Count" field. If I set this to something like 250000 would that basically be like retaining only the most recent 250k captures, or does that mean stop logging after 250k is reached?

    The latter in my experience.