********* Works wo sudo hack on linux **************

Only first time (ever) - to make ssh work wo. asking for passwd
ssh-keygen
ssh-copy-id user@pfsense-fw

If sudo is installed on pfsense
----------------------------------
remote:~$ mkfifo /tmp/pcap
remote:~$ sudo tcpdump -iigb1 -U -s0 -w - 'not port 22' > /tmp/pcap

If sudo is not installed on pfsense
------------------------------------
ssh to pfsense as root/admin , enter 8 for shell

remote:~# mkfifo /tmp/pcap
remote:~# tcpdump -iigb1 -U -s0 -w - 'not port 22' > /tmp/pcap

and send the data by a separate connection:

local:~$ mkfifo /tmp/pcap
local:~$ ssh user@pfsense-fw "cat /tmp/pcap" > /tmp/pcap

and finally start Wireshark

local:~$ sudo wireshark -k -i /tmp/pcap

********************* end ***************

I do have this one liner working
As local root (due to wireshark needs root)

local:# ssh user@pfsense-fw sudo tcpdump -iigb1 -U -s0 -w - 'not port 22' | wireshark -k -i -

But it requires sudo to be installed on pfsense

https://www.cyberciti.biz/faq/how-to-add-delete-grant-sudo-privileges-to-users-on-freebsd-unix-server/

install
pkg install security/sudo

And some "nasty" visudo things, that would get a "security officer/revision" to get "Red Ears" ….

I could prob lock it down to just work with tcpdump , but for now it's allowing my local user to sudo anything wo even asking for a pwd. Provided he's a member of the admin group.

Have fun "Sharking"

Ps:
Most of this nasty stuff would prob not be needed of we could get a way to ssh into pfsense as root , wo. hitting the "menu".
Or if we could ssh into pfsense w. a user that was allowed to run tcpdump on an interface.

/Bingo

Modified to my needs of course, and it starts to work, it opens wireshark and asked me if the connection was secure and then nothing comes through into wireshark, it just sits there idle.

I have tried promiscuous and non promiscuous modes.

Any suggestions?

Reason:
Connecting using user "root" or "admin" will end up in a CLI-Menu but no shell.
Thus and tcpdump cannot start and you will see nothing.

Solution:
Start like this:

(echo 8) | plink root@pfsense tcpdump -n -s 0 -nn -U -w - -i em0  icmp | wireshark -i - -k

"( echo 8 )" will type "8" for you in order to exit from the menu to the shell (at time of writing).

After that I assume wireshark is working properly.

1. The GUI won't accept an SSH key path.
2. Sends options for remote binary dumpcap when specifying tcpdump.  The -f option has different meaning for tcpdump.
3. No means of specifying options for the remote binary command.
4. Captures a few packets and then prematurely stops capturing.
5. kex algorithm mismatch between Wireshark SSH client and pfSense SSHd.

The default remote binary is dumpcap.  From what I gleaned from bug reports it sounds like dumpcap is preferred over tcpdump due to some security issues with tcpdump being run with full privileges.

Unfortunately it does not appear dumpcap has been compiled for FreeBSD.  At least not that I could find.  Would be nice if someone could compile and get it included in the FreeBSD ports/packages or wherever appropriate and included in pfSense build.

In the meantime for experimenting I've been using a dumpcap script to translate to tcpdump.

#/bin/sh
echo $0 >/var/dumpcap.txt
echo $1 >>/var/dumpcap.txt
echo $2 >>/var/dumpcap.txt
echo $3 >>/var/dumpcap.txt
echo $4 >>/var/dumpcap.txt
echo $5 >>/var/dumpcap.txt
echo $6 >>/var/dumpcap.txt
echo $7 >>/var/dumpcap.txt

#/var/dumpcap
#-i em1 -w - -f not port 22

#/usr/sbin/tcpdump -p -n -nn -s 0 -U -w - -i em0 not port 22
#/usr/sbin/tcpdump -p -n -nn -s 0 -U -w - $3 $4 $6
 /usr/sbin/tcpdump -p -n -nn -s 0 -U $1 $2 $3 $4 $6

Once it all gets ironed out this should be much nicer than using command line to third party SSH app and pipe to Wireshark.  Basically doing the same thing, just providing a GUI frontend within Wireshark.


SSH Remote Capture TCPdump
https://ask.wireshark.org/questions/58696/ssh-remote-capture-tcpdump

Verify the authentication method (key and/or password) and the user credentials being used.

Also verify the pfSense machine's address being used is correct.

Also verify the plink.exe path is correct and that plink is working.

"c:\wireshark\plink.exe" -ssh -pw pword root@pfSense.localhost tcpdump -n -nn -s 0 -U -w - -i em1 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k -p

Modified to my needs of course, and it starts to work, it opens wireshark and asked me if the connection was secure and then nothing comes through into wireshark, it just sits there idle.

I have tried promiscuous and non promiscuous modes.

Any suggestions?

I'm not sure I'd feed it into wireshark directly. Lots of corner cases can appear that way.

Such as?  Examples?

@fatsailor:

Why not save pcaps, and then load those directly into wireshark?

Bro with Timemachine (not AAPL's) and I think Vortex will both capture pcaps for replay.

Even easier (but not secure), mount a remote file system and tcpdump to it.

Not realtime/live packet captures.  See what's happening as it happens.

As for easy.  This is pretty easy.  Just install puTTY (plink), build a few command lines in a text editor for common capture filters, and paste as needed in to a command shell.  Poof Wireshark is live capturing the pfSense interface of your choice.

I know that remote packet capturing (realtime capture of a remote tcpdump with Wireshark) can be done with Linux and I've done that before.  Is it also supported with FreeBSD?  I'm guessing it is.  If so does the pfSense install have everything needed?  Guessing it does but would just like to verify before spending time attempting to make something work that is not going to.

As a bonus if someone has the tcpdump command line handy for setting up the remote capture that would be great not having to start from scratch.

I'm not sure I'd feed it into wireshark directly. Lots of corner cases can appear that way. Why not save pcaps, and then load those directly into wireshark?

Bro with Timemachine (not AAPL's) and I think Vortex will both capture pcaps for replay.

Even easier (but not secure), mount a remote file system and tcpdump to it.

"C:\Program Files (x86)\PuTTY\plink.exe" -ssh -pw password root@pfSense.localdomain tcpdump -n -nn -s 0 -U -w - -i bfe0 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k

or if target systems ssh is configured for key authentication, replace password with i option and key file

"C:\Program Files (x86)\PuTTY\plink.exe" -ssh -i "C:\Program Files (x86)\WinSCP\Keys\pfSense\id_rsa_4096_SSH_Private_Key.ppk" root@pfSense.localdomain tcpdump -n -nn -s 0 -U -w - -i bfe0 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k

Replace paths, login name, domain name, network interface, filter expression, etc. as appropriate.

To prevent tcpdump from putting the network interface into promiscuous mode add the -p option.