Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Capture All Traffic

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      addicted2code
      last edited by

      Hello all.

      I'm fairly new to pfSense.  I obtained my SG-2440 yesterday and I've been having a blast working with it so far.  I've managed to setup routing in both my LAN and a VPN connection for certain devices to allow some tunneling but also some local network activity.  This forum has been great in helping me figure it out (reading posts, tutorials, etc..) so thank you.  My setup is mainly educational, it's my home network and I'm just having fun figuring this out.

      However, I have another item I want to figure out and I can't seem to find instructions on here.  I am probably searching for the wrong terms, so I thought I'd post it and see if anyone could help.

      I want to "sniff" all information on my network that touches the SG-2440.  I am trying to learn a lot about network traffic, but I also would love to see how systems talk on my network.  So my ideal setup would be any traffic to and from my LAN setup on the SG-2440 gets routed to a device that can capture it.  Information I am looking to get would be:

      • Source IP and Port

      • Destination IP and Port

      • Packet Contents

      I'm familiar with WireShark, so I could use that, but I want to make sure the pfSense configuration pushes all hard-wired packets to the device as well.  However it would be ideal if there was something in pfSense itself that I could look at and filter through.

      Any help would be appreciated.  Thanks!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        If you're not using all 4 ports, you could add a single interface bridge containing LAN as the only member, and add one of the OPT interfaces on the bridge as a span port. That'll duplicate all packets on LAN to the chosen OPT port, then you can plug your capture device in on that OPT port. Interfaces>assign, bridges tab, add it there. No config needed beyond just choosing LAN as the only member, and your port of choice as the span (under advanced).

        Sergei_ShablovskyS 1 Reply Last reply Reply Quote 0
        • A
          addicted2code
          last edited by

          @cmb:

          If you're not using all 4 ports, you could add a single interface bridge containing LAN as the only member, and add one of the OPT interfaces on the bridge as a span port. That'll duplicate all packets on LAN to the chosen OPT port, then you can plug your capture device in on that OPT port. Interfaces>assign, bridges tab, add it there. No config needed beyond just choosing LAN as the only member, and your port of choice as the span (under advanced).

          Thank you!  This is exactly what I was looking for.  Out of curiosity, is there any good add-ons for pfSense to do this as a reporting/monitoring tool inside the box?  No preference either way for me, just curious.

          1 Reply Last reply Reply Quote 0
          • N
            NOYB
            last edited by

            Since your interest appears to be of a self education nature.  You may be interested in exploring this method of remote capturing with Wireshark over SSH.

            https://forum.pfsense.org/index.php?topic=89917.msg497700

            Of course if capturing everything you'd want to exclude the capturing machine address and/or SSH port from the capture.

            This can be pretty handy when a dedicated capture machine is not available to hang off a port mirror.  Or a port is not available to mirror.  So may be a good thing to stick in your packet capturing knowlegebox.

            1 Reply Last reply Reply Quote 0
            • A
              addicted2code
              last edited by

              @NOYB:

              Since your interest appears to be of a self education nature.  You may be interested in exploring this method of remote capturing with Wireshark over SSH.

              https://forum.pfsense.org/index.php?topic=89917.msg497700

              Of course if capturing everything you'd want to exclude the capturing machine address and/or SSH port from the capture.

              This can be pretty handy when a dedicated capture machine is not available to hang off a port mirror.  Or a port is not available to mirror.  So may be a good thing to stick in your packet capturing knowlegebox.

              That's pretty awesome.  Thanks for sharing, a lot to read over on that post that intrigues me so I'll be playing with it.  I appreciate you sharing that.

              1 Reply Last reply Reply Quote 0
              • Sergei_ShablovskyS
                Sergei_Shablovsky @cmb
                last edited by

                @cmb said in Capture All Traffic:

                If you're not using all 4 ports, you could add a single interface bridge containing LAN as the only member, and add one of the OPT interfaces on the bridge as a span port. That'll duplicate all packets on LAN to the chosen OPT port, then you can plug your capture device in on that OPT port. Interfaces>assign, bridges tab, add it there. No config needed beyond just choosing LAN as the only member, and your port of choice as the span (under advanced).

                Thank a You for solution!

                How this impact on a CPU loading, memory utilization on a whole pfSense appliance for 500M-1G traffic ?

                Thank You!

                —
                CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                Help Ukraine to resist, save civilians people’s lives !
                (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  I going to have to ask you to stop resurrecting ancient threads please.

                  If you need to reference an old thread just link to it or quote the relevant text in a new thread.

                  Thanks.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.