How to Capture Packets Using pfSense

Updated on November 7, 2016
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

The Frames Don't Lie!

Packet captures can be extremely useful for troubleshooting network problems. Looking at a capture allows you to see exactly what packets are on the wire, or in some cases which ones are missing.

If users are complaining that the internet is "running slow" you can run a trace to quickly locate high bandwidth users on the network or look for sources of packet loss. Analyzing a capture file can often identify problems that may not be apparent otherwise.

Pfsense has several built in features that allow you to capture packets. These captures can be viewed through the web interface or they can be downloaded from the system and viewed using an analyzer such as Wireshark.

Running a Capture Through the Web GUI

The easiest method of capturing packets on a pfSense system is to use the web interface. The packet capture feature is found in the diagnostics menu.

To start a basic capture select the interface (WAN/LAN) to run the capture on, then click on start. When you are ready to stop the capture just click the stop button.

After the capture is finished two things will happen, a link to download the capture file will appear, and the display window will show the output from the capture.

Packets can be captured on pfSense through the web interface.
Packets can be captured on pfSense through the web interface.

Explanations of the Options

Below are explanations of all of the different options on the packet capture page. Not all of them will apply to you but some of them are useful for reducing the size of the capture file.

The more filters you can apply to your capture the easier it will be to find what you're looking for. If I'm not sure what exactly I'm looking for then I capture all the packets and sort through them in Wireshark.

Interface - In most cases I usually select the LAN interface for the capture so I can see inside IP addresses. If you are trying to track down traffic originating from outside your network use the WAN interface instead.

Address Family - Usually I leave this set to "Any". If you don't want to see any IPv6 traffic in your capture you can select IPv4 only.

Host Address - If you are looking for traffic from a particular host or network you can filter the capture. If you're not sure what you are looking for leave this blank.

Port - This field allows you to filter the capture based on source or destination port numbers.

Packet Length - The default of 0 will capture the entire packet. Sometimes it's useful to capture only the first 68-bytes of the packet if you don't need to see the payload.

Count - Sets the number of packets to capture. For example if you set this to 100 the capture will grab the first 100 packets that match the filter. You still have to press stop though.

Level of Detail - This setting only affects how much detail is displayed in the capture window after you click stop. If you download the capture file it will always show the entire packet unless you specified a max packet length.

Reverse DNS Lookup - I usually leave this setting disabled because it makes the capture much slower. Wireshark can also do name resolution if needed.

Loading the Capture in Wireshark

When you run a capture using the web interface you can download the pcap file directly into Wireshark for analysis. Once you have the file loaded in Wireshark you can begin applying various display filters to locate the packets you are looking for.

Wireshark is a great way to analyze a packet capture.
Wireshark is a great way to analyze a packet capture.

Running a Manual Capture

Another option for capturing packets is to manually run tcpdump from the shell. Using the manual method gives you more control over the parameters used in the capture.

You can connect to the pfSense shell with any SSH client but I like to use Putty. After you connect to the console select option 8 to access the shell.

When you run tcpdump you must specify the interface to run the capture on. PfSense will list the interface names when you log into the console, usually they are similar to em0, or rl1.

The names of the interfaces are based on the kernel module that supports the network card. You can run ifconfig to manually list the interfaces on the system.

The pfSense console menu.
The pfSense console menu.

Sample Tcpdump Commands

Command
Explanation
tcpdump -i em0 -w capture.pcap
Capture all packets on interface em0 and save them to the file capture.pcap.
tcpdump -i em0 host 192.168.1.1
Capture packets on em0 with a source or destination address of 192.168.1.1. Display the output on the screen.
tcpdump -i rl0 http or ftp
Capture any HTTP or FTP traffic on rl0.
tcpdump -i rl0 icmp
Capture only icmp traffic on the rl0 interface.
Tcpdump running in the pfSense shell.
Tcpdump running in the pfSense shell.

Downloading a Manual Capture File

There are a couple of different methods you can use to download the capture files from pfSense after running a manual capture. I like to download the files from pfSense using a program called WinSCP. WinSCP is a GUI program that runs on windows which has the ability to download files via SSH.

Another option is download the files using the web interface. On the diagnostics menu there is an "Execute command" page. On this page you'll find a download section that allows you to specify a file on the pfSense file system to download. If you use this method you must specify the full path to the file.

If you run tcpdump without changing directories the files will be created in /root by default.

You can download files from pfSense using the web interface.
You can download files from pfSense using the web interface.

Questions & Answers

    © 2011 Sam Kear

    Comments

      0 of 8192 characters used
      Post Comment

      • skear profile imageAUTHOR

        Sam Kear 

        6 years ago from Kansas City

        Thanks Dumbledore! Excellent idea for another hub as well.

      • Dumbledore profile image

        This Old Guy 

        6 years ago from Somewhere in Ohio

        Thiis is extremely useful information on how to capture packets. You might like to add another hub explaining how to interpret the traces.

      • skear profile imageAUTHOR

        Sam Kear 

        6 years ago from Kansas City

        Hey tamron, thanks for the feedback!

      • tamron profile image

        tamron 

        6 years ago

        Wow Great Article with lots of usful info. Vote Up! Ping Ya!

      working

      This website uses cookies

      As a user in the EEA, your approval is needed on a few things. To provide a better website experience, turbofuture.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

      For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://turbofuture.com/privacy-policy#gdpr

      Show Details
      Necessary
      HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
      LoginThis is necessary to sign in to the HubPages Service.
      Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
      AkismetThis is used to detect comment spam. (Privacy Policy)
      HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
      HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
      Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
      CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
      Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
      Features
      Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
      Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
      Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
      Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
      Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
      VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
      PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
      Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
      MavenThis supports the Maven widget and search functionality. (Privacy Policy)
      Marketing
      Google AdSenseThis is an ad network. (Privacy Policy)
      Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
      Index ExchangeThis is an ad network. (Privacy Policy)
      SovrnThis is an ad network. (Privacy Policy)
      Facebook AdsThis is an ad network. (Privacy Policy)
      Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
      AppNexusThis is an ad network. (Privacy Policy)
      OpenxThis is an ad network. (Privacy Policy)
      Rubicon ProjectThis is an ad network. (Privacy Policy)
      TripleLiftThis is an ad network. (Privacy Policy)
      Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
      Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
      Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
      Statistics
      Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
      ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
      Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)