Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Packet Capture

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 5 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      I know that remote packet capturing (realtime capture of a remote tcpdump with Wireshark) can be done with Linux and I've done that before.  Is it also supported with FreeBSD?  I'm guessing it is.  If so does the pfSense install have everything needed?  Guessing it does but would just like to verify before spending time attempting to make something work that is not going to.

      As a bonus if someone has the tcpdump command line handy for setting up the remote capture that would be great not having to start from scratch.

      1 Reply Last reply Reply Quote 0
      • N
        NOYB
        last edited by

        Well here it is…

        
        "C:\Program Files (x86)\PuTTY\plink.exe" -ssh -pw password root@pfSense.localdomain tcpdump -n -nn -s 0 -U -w - -i bfe0 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k
        
        

        or if target systems ssh is configured for key authentication, replace password with i option and key file

        
        "C:\Program Files (x86)\PuTTY\plink.exe" -ssh -i "C:\Program Files (x86)\WinSCP\Keys\pfSense\id_rsa_4096_SSH_Private_Key.ppk" root@pfSense.localdomain tcpdump -n -nn -s 0 -U -w - -i bfe0 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k
        
        

        Replace paths, login name, domain name, network interface, filter expression, etc. as appropriate.

        To prevent tcpdump from putting the network interface into promiscuous mode add the -p option.

        1 Reply Last reply Reply Quote 0
        • F
          fatsailor
          last edited by

          @NOYB:

          I know that remote packet capturing (realtime capture of a remote tcpdump with Wireshark) can be done with Linux and I've done that before.  Is it also supported with FreeBSD?  I'm guessing it is.  If so does the pfSense install have everything needed?  Guessing it does but would just like to verify before spending time attempting to make something work that is not going to.

          As a bonus if someone has the tcpdump command line handy for setting up the remote capture that would be great not having to start from scratch.

          I'm not sure I'd feed it into wireshark directly. Lots of corner cases can appear that way. Why not save pcaps, and then load those directly into wireshark?

          Bro with Timemachine (not AAPL's) and I think Vortex will both capture pcaps for replay.

          Even easier (but not secure), mount a remote file system and tcpdump to it.

          1 Reply Last reply Reply Quote 0
          • N
            NOYB
            last edited by

            @fatsailor:

            I'm not sure I'd feed it into wireshark directly. Lots of corner cases can appear that way.

            Such as?  Examples?

            @fatsailor:

            Why not save pcaps, and then load those directly into wireshark?

            Bro with Timemachine (not AAPL's) and I think Vortex will both capture pcaps for replay.

            Even easier (but not secure), mount a remote file system and tcpdump to it.

            Not realtime/live packet captures.  See what's happening as it happens.

            As for easy.  This is pretty easy.  Just install puTTY (plink), build a few command lines in a text editor for common capture filters, and paste as needed in to a command shell.  Poof Wireshark is live capturing the pfSense interface of your choice.

            1 Reply Last reply Reply Quote 0
            • F
              flagcc
              last edited by

              I am trying to use your command line script:

              "c:\wireshark\plink.exe" -ssh -pw pword root@pfSense.localhost tcpdump -n -nn -s 0 -U -w - -i em1 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k -p

              Modified to my needs of course, and it starts to work, it opens wireshark and asked me if the connection was secure and then nothing comes through into wireshark, it just sits there idle.

              I have tried promiscuous and non promiscuous modes.

              Any suggestions?

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                That would indicate that the SSH tunnel is not getting established.

                Verify the authentication method (key and/or password) and the user credentials being used.

                Also verify the pfSense machine's address being used is correct.

                Also verify the plink.exe path is correct and that plink is working.

                1 Reply Last reply Reply Quote 0
                • N
                  NOYB
                  last edited by

                  I've been told it is being worked on to handle this within Wireshark.
                  That would be awesome.  Hope it's true and arrives soon.  Stay tuned.

                  SSH Remote Capture TCPdump
                  https://ask.wireshark.org/questions/58696/ssh-remote-capture-tcpdump

                  1 Reply Last reply Reply Quote 0
                  • N
                    NOYB
                    last edited by

                    Just installed Wireshark 2.2.3 and it has the SSH remote capture interface.  But can't establish the SSH connection due no match for method kex algos.

                    ![SSH Remote Capture - Settings.jpg](/public/imported_attachments/1/SSH Remote Capture - Settings.jpg)
                    ![SSH Remote Capture - Settings.jpg_thumb](/public/imported_attachments/1/SSH Remote Capture - Settings.jpg_thumb)
                    ![SSH Remote Capture - Error.jpg](/public/imported_attachments/1/SSH Remote Capture - Error.jpg)
                    ![SSH Remote Capture - Error.jpg_thumb](/public/imported_attachments/1/SSH Remote Capture - Error.jpg_thumb)

                    1 Reply Last reply Reply Quote 0
                    • N
                      NOYB
                      last edited by

                      Experimenting with the new Wireshark SSH remote capture interface.  It's there but not really usable yet.  Some show stopper bugs that appear to still being workout and some fixes that have not been included in the latest stable release (2.2.3).

                      1. The GUI won't accept an SSH key path.
                      2. Sends options for remote binary dumpcap when specifying tcpdump.  The -f option has different meaning for tcpdump.
                      3. No means of specifying options for the remote binary command.
                      4. Captures a few packets and then prematurely stops capturing.
                      5. kex algorithm mismatch between Wireshark SSH client and pfSense SSHd.

                      The default remote binary is dumpcap.  From what I gleaned from bug reports it sounds like dumpcap is preferred over tcpdump due to some security issues with tcpdump being run with full privileges.

                      Unfortunately it does not appear dumpcap has been compiled for FreeBSD.  At least not that I could find.  Would be nice if someone could compile and get it included in the FreeBSD ports/packages or wherever appropriate and included in pfSense build.

                      In the meantime for experimenting I've been using a dumpcap script to translate to tcpdump.

                      
                      #/bin/sh
                      echo $0 >/var/dumpcap.txt
                      echo $1 >>/var/dumpcap.txt
                      echo $2 >>/var/dumpcap.txt
                      echo $3 >>/var/dumpcap.txt
                      echo $4 >>/var/dumpcap.txt
                      echo $5 >>/var/dumpcap.txt
                      echo $6 >>/var/dumpcap.txt
                      echo $7 >>/var/dumpcap.txt
                      
                      #/var/dumpcap
                      #-i em1 -w - -f not port 22
                      
                      #/usr/sbin/tcpdump -p -n -nn -s 0 -U -w - -i em0 not port 22
                      #/usr/sbin/tcpdump -p -n -nn -s 0 -U -w - $3 $4 $6
                       /usr/sbin/tcpdump -p -n -nn -s 0 -U $1 $2 $3 $4 $6
                      
                      

                      Once it all gets ironed out this should be much nicer than using command line to third party SSH app and pipe to Wireshark.  Basically doing the same thing, just providing a GUI frontend within Wireshark.

                      1 Reply Last reply Reply Quote 0
                      • Q
                        Quirinius
                        last edited by

                        @flagcc:

                        Modified to my needs of course, and it starts to work, it opens wireshark and asked me if the connection was secure and then nothing comes through into wireshark, it just sits there idle.

                        I have tried promiscuous and non promiscuous modes.

                        Any suggestions?

                        Reason:
                        Connecting using user "root" or "admin" will end up in a CLI-Menu but no shell.
                        Thus and tcpdump cannot start and you will see nothing.

                        Solution:
                        Start like this:

                        (echo 8) | plink root@pfsense tcpdump -n -s 0 -nn -U -w - -i em0  icmp | wireshark -i - -k
                        

                        "( echo 8 )" will type "8" for you in order to exit from the menu to the shell (at time of writing).

                        After that I assume wireshark is working properly.

                        1 Reply Last reply Reply Quote 0
                        • bingo600B
                          bingo600
                          last edited by

                          I have toyed a bit with this , and here is a working solution wo. to much "no..no"

                          
                          ********* Works wo sudo hack on linux **************
                          
                          Only first time (ever) - to make ssh work wo. asking for passwd
                          ssh-keygen
                          ssh-copy-id user@pfsense-fw
                          
                          If sudo is installed on pfsense
                          ----------------------------------
                          remote:~$ mkfifo /tmp/pcap
                          remote:~$ sudo tcpdump -iigb1 -U -s0 -w - 'not port 22' > /tmp/pcap
                          
                          If sudo is not installed on pfsense
                          ------------------------------------
                          ssh to pfsense as root/admin , enter 8 for shell
                          
                          remote:~# mkfifo /tmp/pcap
                          remote:~# tcpdump -iigb1 -U -s0 -w - 'not port 22' > /tmp/pcap
                          
                          and send the data by a separate connection:
                          
                          local:~$ mkfifo /tmp/pcap
                          local:~$ ssh user@pfsense-fw "cat /tmp/pcap" > /tmp/pcap
                          
                          and finally start Wireshark
                          
                          local:~$ sudo wireshark -k -i /tmp/pcap
                          
                          ********************* end ***************
                          
                          

                          I do have this one liner working
                          As local root (due to wireshark needs root)

                          
                          local:# ssh user@pfsense-fw sudo tcpdump -iigb1 -U -s0 -w - 'not port 22' | wireshark -k -i -
                          
                          

                          But it requires sudo to be installed on pfsense

                          
                          https://www.cyberciti.biz/faq/how-to-add-delete-grant-sudo-privileges-to-users-on-freebsd-unix-server/
                          
                          install
                          pkg install security/sudo
                          
                          

                          And some "nasty" visudo things, that would get a "security officer/revision" to get "Red Ears" ….

                          I could prob lock it down to just work with tcpdump , but for now it's allowing my local user to sudo anything wo even asking for a pwd. Provided he's a member of the admin group.

                          Have fun "Sharking"

                          Ps:
                          Most of this nasty stuff would prob not be needed of we could get a way to ssh into pfsense as root , wo. hitting the "menu".
                          Or if we could ssh into pfsense w. a user that was allowed to run tcpdump on an interface.

                          /Bingo

                          If you find my answer useful - Please give the post a 👍 - "thumbs up"

                          pfSense+ 23.05.1 (ZFS)

                          QOTOM-Q355G4 Quad Lan.
                          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.