How to Run Wireshark on pfSense Using X11 Forwarding Over SSH
Wireshark is a very useful tool for troubleshooting and analyzing network traffic. Wireshark can capture packets and decode the protocols into a nice graphical representation.
PfSense has a built in packet capture function but this feature requires the capture file to be downloaded to another computer before it can be viewed with an analyzer.
A better alternative is to run Wireshark directly on pfSense. By running the program on a live pfSense system you can capture traffic and view it in real time. Being able to watch traffic on the network in real time makes troubleshooting problems much easier.
By running Wireshark over an SSH session you can analyze packets from a remote location without having to even be on the same network as the pfSense router.
If you plan to do this installation on a production router or firewall you should make sure to do it during a maintenance window. During an installation like this it's always possible that you will see a brief interruption in network traffic while services restart and rules are reloaded.
Installing Wireshark on pfSense isn't officially supported but one of the benefits of an open system is the ability to add additional features.
I've tested this procedure on pfSense 2.0.1.
Installing the Required Packages
To get started there are two packages that must be installed, Xauth, and Wireshark. The Xauth package handles the authentication of X sessions and is necessary for X11 forwarding. You'll also need the Wireshark package itself.
Both of these packages are not currently in the pfSense package management system so they will need to be installed using the command line.
I recommend running the install commands from an SSH session but you can also use the command prompt feature in the web interface. Each of the commands below can be copied and pasted into the SSH session.
These commands will use the pkg_add utility to download the packages directly from the FreeBSD repositories.
The package will take a few minutes to install since it has several dependencies.
pkg_add -rv ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.2-release/Latest/xauth.tbz
pkg_add -rv ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.2-release/Latest/wireshark.tbz
SSH Daemon Configuration
By default the SSH service on pfSense is not enabled for X11 forwarding. To enable session forwarding the /etc/sshd file must be modified.
The easiest way to change the file is to use the built in file editor in the web gui. The editor can be accessed by clicking on 'Edit File' in the diagnostics menu.
You can also edit the file using vi through an SSH session but I think it's much easier to use the web page.
Click the browse button and then navigate to the /etc directory and select the file called sshd.
Locate the line below and change the no to a yes. This line can be found in the section titled "Include default configuration for pfSense".
$sshconf .= "X11Forwarding no\n";
After making the changes it should look like the line below. Click the save button after the line has been edited.
$sshconf .= "X11Forwarding yes\n";
In order for the changes to take effect you will need to reboot the pfSense system.
Setting Environmental Variables
For an application to run on a remote X server the display variable must be defined. This can be done using the setenv command below.
setenv DISPLAY localhost:10
The variable will be need to be defined each time a user logs into the system.
Instead of constanly resetting the variable you can add an entry to the .tcshrc file located in the /root directory.
Then each time you log in as root the display variable will be automatically set up.
The easiest way to modify this file is to use the file editor in the web interface as shown below.
Editing the .tcshrc File
In order to run X based applications on a Windows computer you must install an X server. Xming is a very popular and easy to use X server that runs on 32 or 64 bit versions of Windows.
Xming version 6.9 is available for free as a public release. To download newer releases you must have a donor account which can be obtained by making a small donation to the project.
To setup Xming download and run the installation package.
The Xming installation is very simple and straightforward. If you don't have the Putty SSH client installed Xming can install it for you. You'll need Putty for the next step in this guide so you may as well let Xming install it for you.
All of the other options in the installer can be left on the default settings.
After Xming is installed go ahead and start the application. When the program is running you should see the Xming icon in the system tray.
As long as the icon is visible the Xming server is running and ready to accept connections.
Configuring the SSH Client
The final step is to configure the SSH client to for X11 forwarding. I'm going to show you how to setup the Putty client. Putty is a very popular and lightweight SSH client that I highly recommend using.
Putty can be installed as an option with the Xming installer, or you can download it from the author's website. All you really need is the putty.exe file but there is also an installer available.
- Once you open Putty expand the connection settings, then expand SSH.
- Click on X11 to access the session forwarding settings.
- Check the box ' Enable X11 forwarding'
- In the display location box enter 'localhost:0' as shown below.
Saving The Settings as Defaults
- Click on 'Session' to go back to the main screen.
- Click on 'Default Settings' to highlight the entry.
- Click save to store the changes.
Next time you open putty the X11 settings will already be in place.
Starting the SSH Session
Once Putty is configured you can proceed to log into pfSense via SSH.
If you plan to connect using the WAN IP address make sure you have a firewall rule permitting SSH traffic (TCP port 22) to the WAN interface.
- To start the session type in the IP address of the router or host name in the top box of Putty.
- Make sure the connection type is set to SSH.
- Click the open button to start the session.
- Log in with the username root, the password will be the same admin password you use to log into the web gui.
After logging in you will see the welcome menu. Select option number 8 to start the shell.
There are a couple of different methods to launch Wireshark from the shell. Simply typing wireshark will launch the application but this method will keep the shell busy until you close the application.
You can also type 'wireshark &' which will detach the sniffer from the shell and allow you to use the terminal for running other commands.
The SSH session must remain open while the program is running, if the session is closed the program will end.
When you first launch the analyzer you will see a message that running as root could be dangerous, click ok to continue.
Since the analyzer is running directly on pfSense you can now capture packets in real time from any interface on the system.
Capture files can be saved but they will be stored on pfSense, you can copy them to another computer using SCP.
If you're not familiar with Wireshark there are several great resources on the web such as the beginners guide to Wireshark.
You receive the error "Gtk-WARNING **: cannot open display: localhost:10"
If you get this error make sure that Xming is running. If the message says "cannot open display" but it's not followed by "localhost:10" then make sure that X11 forwarding is enabled from within putty.
Check to see if the display variable is set
A quick way to make sure the display variable has been set is to run the command 'echo $DISPLAY'. If you see a message that says the variable has not been defined then make sure the changes were applied to the /root/.tcshrc file.
Putty is unable to connect
If you're not able to establish an SSH connection make sure that the secure shell server is enabled. The server setting can be found in the advanced configuration page which is found on the system menu. The setting for SSH is on the first tab which is called admin access.
After editing this file you must close your SSH session and log in again since the file is only executed when a user logs in.
© 2012 Sam Kear