How to Capture Packets Using pfSense
The Frames Don't Lie!
Packet captures can be extremely useful for troubleshooting network problems. Looking at a capture allows you to see exactly what packets are on the wire, or in some cases which ones are missing.
If users are complaining that the internet is "running slow" you can run a trace to quickly locate high bandwidth users on the network or look for sources of packet loss. Analyzing a capture file can often identify problems that may not be apparent otherwise.
Pfsense has several built in features that allow you to capture packets. These captures can be viewed through the web interface or they can be downloaded from the system and viewed using an analyzer such as Wireshark.
Running a Capture Through the Web GUI
The easiest method of capturing packets on a pfSense system is to use the web interface. The packet capture feature is found in the diagnostics menu.
To start a basic capture select the interface (WAN/LAN) to run the capture on, then click on start. When you are ready to stop the capture just click the stop button.
After the capture is finished two things will happen, a link to download the capture file will appear, and the display window will show the output from the capture.
Explanations of the Options
Below are explanations of all of the different options on the packet capture page. Not all of them will apply to you but some of them are useful for reducing the size of the capture file.
The more filters you can apply to your capture the easier it will be to find what you're looking for. If I'm not sure what exactly I'm looking for then I capture all the packets and sort through them in Wireshark.
Interface - In most cases I usually select the LAN interface for the capture so I can see inside IP addresses. If you are trying to track down traffic originating from outside your network use the WAN interface instead.
Address Family - Usually I leave this set to "Any". If you don't want to see any IPv6 traffic in your capture you can select IPv4 only.
Host Address - If you are looking for traffic from a particular host or network you can filter the capture. If you're not sure what you are looking for leave this blank.
Port - This field allows you to filter the capture based on source or destination port numbers.
Packet Length - The default of 0 will capture the entire packet. Sometimes it's useful to capture only the first 68-bytes of the packet if you don't need to see the payload.
Count - Sets the number of packets to capture. For example if you set this to 100 the capture will grab the first 100 packets that match the filter. You still have to press stop though.
Level of Detail - This setting only affects how much detail is displayed in the capture window after you click stop. If you download the capture file it will always show the entire packet unless you specified a max packet length.
Reverse DNS Lookup - I usually leave this setting disabled because it makes the capture much slower. Wireshark can also do name resolution if needed.
Loading the Capture in Wireshark
When you run a capture using the web interface you can download the pcap file directly into Wireshark for analysis. Once you have the file loaded in Wireshark you can begin applying various display filters to locate the packets you are looking for.
Running a Manual Capture
Another option for capturing packets is to manually run tcpdump from the shell. Using the manual method gives you more control over the parameters used in the capture.
You can connect to the pfSense shell with any SSH client but I like to use Putty. After you connect to the console select option 8 to access the shell.
When you run tcpdump you must specify the interface to run the capture on. PfSense will list the interface names when you log into the console, usually they are similar to em0, or rl1.
The names of the interfaces are based on the kernel module that supports the network card. You can run ifconfig to manually list the interfaces on the system.
Sample Tcpdump Commands
tcpdump -i em0 -w capture.pcap
Capture all packets on interface em0 and save them to the file capture.pcap.
tcpdump -i em0 host 192.168.1.1
Capture packets on em0 with a source or destination address of 192.168.1.1. Display the output on the screen.
tcpdump -i rl0 http or ftp
Capture any HTTP or FTP traffic on rl0.
tcpdump -i rl0 icmp
Capture only icmp traffic on the rl0 interface.
Downloading a Manual Capture File
There are a couple of different methods you can use to download the capture files from pfSense after running a manual capture. I like to download the files from pfSense using a program called WinSCP. WinSCP is a GUI program that runs on windows which has the ability to download files via SSH.
Another option is download the files using the web interface. On the diagnostics menu there is an "Execute command" page. On this page you'll find a download section that allows you to specify a file on the pfSense file system to download. If you use this method you must specify the full path to the file.
If you run tcpdump without changing directories the files will be created in /root by default.
© 2011 Sam Kear