Capture All Traffic

addicted2code

Hello all.

I'm fairly new to pfSense.  I obtained my SG-2440 yesterday and I've been having a blast working with it so far.  I've managed to setup routing in both my LAN and a VPN connection for certain devices to allow some tunneling but also some local network activity.  This forum has been great in helping me figure it out (reading posts, tutorials, etc..) so thank you.  My setup is mainly educational, it's my home network and I'm just having fun figuring this out.

However, I have another item I want to figure out and I can't seem to find instructions on here.  I am probably searching for the wrong terms, so I thought I'd post it and see if anyone could help.

I want to "sniff" all information on my network that touches the SG-2440.  I am trying to learn a lot about network traffic, but I also would love to see how systems talk on my network.  So my ideal setup would be any traffic to and from my LAN setup on the SG-2440 gets routed to a device that can capture it.  Information I am looking to get would be:

• Source IP and Port

• Destination IP and Port

• Packet Contents

I'm familiar with WireShark, so I could use that, but I want to make sure the pfSense configuration pushes all hard-wired packets to the device as well.  However it would be ideal if there was something in pfSense itself that I could look at and filter through.

Any help would be appreciated.  Thanks!

cmb

If you're not using all 4 ports, you could add a single interface bridge containing LAN as the only member, and add one of the OPT interfaces on the bridge as a span port. That'll duplicate all packets on LAN to the chosen OPT port, then you can plug your capture device in on that OPT port. Interfaces>assign, bridges tab, add it there. No config needed beyond just choosing LAN as the only member, and your port of choice as the span (under advanced).

addicted2code

@cmb:

If you're not using all 4 ports, you could add a single interface bridge containing LAN as the only member, and add one of the OPT interfaces on the bridge as a span port. That'll duplicate all packets on LAN to the chosen OPT port, then you can plug your capture device in on that OPT port. Interfaces>assign, bridges tab, add it there. No config needed beyond just choosing LAN as the only member, and your port of choice as the span (under advanced).

Thank you!  This is exactly what I was looking for.  Out of curiosity, is there any good add-ons for pfSense to do this as a reporting/monitoring tool inside the box?  No preference either way for me, just curious.

NOYB

Since your interest appears to be of a self education nature.  You may be interested in exploring this method of remote capturing with Wireshark over SSH.

https://forum.pfsense.org/index.php?topic=89917.msg497700

Of course if capturing everything you'd want to exclude the capturing machine address and/or SSH port from the capture.

This can be pretty handy when a dedicated capture machine is not available to hang off a port mirror.  Or a port is not available to mirror.  So may be a good thing to stick in your packet capturing knowlegebox.

addicted2code

@NOYB:

Since your interest appears to be of a self education nature.  You may be interested in exploring this method of remote capturing with Wireshark over SSH.

https://forum.pfsense.org/index.php?topic=89917.msg497700

Of course if capturing everything you'd want to exclude the capturing machine address and/or SSH port from the capture.

This can be pretty handy when a dedicated capture machine is not available to hang off a port mirror.  Or a port is not available to mirror.  So may be a good thing to stick in your packet capturing knowlegebox.

That's pretty awesome.  Thanks for sharing, a lot to read over on that post that intrigues me so I'll be playing with it.  I appreciate you sharing that.

Sergei_Shablovsky

@cmb said in Capture All Traffic:

If you're not using all 4 ports, you could add a single interface bridge containing LAN as the only member, and add one of the OPT interfaces on the bridge as a span port. That'll duplicate all packets on LAN to the chosen OPT port, then you can plug your capture device in on that OPT port. Interfaces>assign, bridges tab, add it there. No config needed beyond just choosing LAN as the only member, and your port of choice as the span (under advanced).

Thank a You for solution!

How this impact on a CPU loading, memory utilization on a whole pfSense appliance for 500M-1G traffic ?

Thank You!

stephenw10

I going to have to ask you to stop resurrecting ancient threads please.

If you need to reference an old thread just link to it or quote the relevant text in a new thread.

Thanks.

Steve