How to Run Wireshark on pfSense Using X11 Forwarding Over SSH

Updated on January 15, 2018
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

Wireshark is a very useful tool for troubleshooting and analyzing network traffic. Wireshark can capture packets and decode the protocols into a nice graphical representation.

PfSense has a built in packet capture function but this feature requires the capture file to be downloaded to another computer before it can be viewed with an analyzer.

A better alternative is to run Wireshark directly on pfSense. By running the program on a live pfSense system you can capture traffic and view it in real time. Being able to watch traffic on the network in real time makes troubleshooting problems much easier.

By running Wireshark over an SSH session you can analyze packets from a remote location without having to even be on the same network as the pfSense router.

Wireshark running on pfSense remotely via an SSH session.
Wireshark running on pfSense remotely via an SSH session.


If you plan to do this installation on a production router or firewall you should make sure to do it during a maintenance window. During an installation like this it's always possible that you will see a brief interruption in network traffic while services restart and rules are reloaded.

Installing Wireshark on pfSense isn't officially supported but one of the benefits of an open system is the ability to add additional features.

I've tested this procedure on pfSense 2.0.1.

Installing the Required Packages

To get started there are two packages that must be installed, Xauth, and Wireshark. The Xauth package handles the authentication of X sessions and is necessary for X11 forwarding. You'll also need the Wireshark package itself.

Both of these packages are not currently in the pfSense package management system so they will need to be installed using the command line.

I recommend running the install commands from an SSH session but you can also use the command prompt feature in the web interface. Each of the commands below can be copied and pasted into the SSH session.

These commands will use the pkg_add utility to download the packages directly from the FreeBSD repositories.

The package will take a few minutes to install since it has several dependencies.

Xauth Installation

pkg_add -rv

Wireshark Installation

pkg_add -rv

SSH Daemon Configuration

By default the SSH service on pfSense is not enabled for X11 forwarding. To enable session forwarding the /etc/sshd file must be modified.

The easiest way to change the file is to use the built in file editor in the web gui. The editor can be accessed by clicking on 'Edit File' in the diagnostics menu.

You can also edit the file using vi through an SSH session but I think it's much easier to use the web page.

Click the browse button and then navigate to the /etc directory and select the file called sshd.

Locate the line below and change the no to a yes. This line can be found in the section titled "Include default configuration for pfSense".

$sshconf .= "X11Forwarding no\n";

After making the changes it should look like the line below. Click the save button after the line has been edited.

$sshconf .= "X11Forwarding yes\n";

In order for the changes to take effect you will need to reboot the pfSense system.

The /etc/sshd file must be edited to enable X11 forwarding.
The /etc/sshd file must be edited to enable X11 forwarding.

Setting Environmental Variables

For an application to run on a remote X server the display variable must be defined. This can be done using the setenv command below.

setenv DISPLAY localhost:10

The variable will be need to be defined each time a user logs into the system.

Instead of constanly resetting the variable you can add an entry to the .tcshrc file located in the /root directory.

Then each time you log in as root the display variable will be automatically set up.

The easiest way to modify this file is to use the file editor in the web interface as shown below.

Editing the .tcshrc File

Edit the /root/.tcshrc file to set the display variable automatically when the root user logs in.
Edit the /root/.tcshrc file to set the display variable automatically when the root user logs in.

Installing Xming

In order to run X based applications on a Windows computer you must install an X server. Xming is a very popular and easy to use X server that runs on 32 or 64 bit versions of Windows.

Xming version 6.9 is available for free as a public release. To download newer releases you must have a donor account which can be obtained by making a small donation to the project.

To setup Xming download and run the installation package.

The Xming installation is very simple and straightforward. If you don't have the Putty SSH client installed Xming can install it for you. You'll need Putty for the next step in this guide so you may as well let Xming install it for you.

All of the other options in the installer can be left on the default settings.

The Xming installer can automatically install the Putty SSH client if needed.
The Xming installer can automatically install the Putty SSH client if needed.

Starting Xming

After Xming is installed go ahead and start the application. When the program is running you should see the Xming icon in the system tray.

As long as the icon is visible the Xming server is running and ready to accept connections.

When Xming is running the icon will appear in the system tray.
When Xming is running the icon will appear in the system tray.

Configuring the SSH Client

The final step is to configure the SSH client to for X11 forwarding. I'm going to show you how to setup the Putty client. Putty is a very popular and lightweight SSH client that I highly recommend using.

Putty can be installed as an option with the Xming installer, or you can download it from the author's website. All you really need is the putty.exe file but there is also an installer available.

  1. Once you open Putty expand the connection settings, then expand SSH.
  2. Click on X11 to access the session forwarding settings.
  3. Check the box ' Enable X11 forwarding'
  4. In the display location box enter 'localhost:0' as shown below.

X11 forwarding must be enabled in the Putty settings.
X11 forwarding must be enabled in the Putty settings.

Saving The Settings as Defaults

In order for X11 forwarding to be enabled each time you open Putty follow the steps below. Otherwise you will need to re-enter the settings each time the program is opened.
  1. Click on 'Session' to go back to the main screen.
  2. Click on 'Default Settings' to highlight the entry.
  3. Click save to store the changes.

Next time you open putty the X11 settings will already be in place.

To make the settings the default click on 'Default Settings', then click save.
To make the settings the default click on 'Default Settings', then click save.

Starting the SSH Session

Once Putty is configured you can proceed to log into pfSense via SSH.

If you plan to connect using the WAN IP address make sure you have a firewall rule permitting SSH traffic (TCP port 22) to the WAN interface.

  1. To start the session type in the IP address of the router or host name in the top box of Putty.
  2. Make sure the connection type is set to SSH.
  3. Click the open button to start the session.
  4. Log in with the username root, the password will be the same admin password you use to log into the web gui.

After logging in you will see the welcome menu. Select option number 8 to start the shell.

After logging into pfSense using SSH the welcome menu will be displayed.
After logging into pfSense using SSH the welcome menu will be displayed.

Launching Wireshark

There are a couple of different methods to launch Wireshark from the shell. Simply typing wireshark will launch the application but this method will keep the shell busy until you close the application.

You can also type 'wireshark &' which will detach the sniffer from the shell and allow you to use the terminal for running other commands.

The SSH session must remain open while the program is running, if the session is closed the program will end.

Using Wireshark

When you first launch the analyzer you will see a message that running as root could be dangerous, click ok to continue.

Since the analyzer is running directly on pfSense you can now capture packets in real time from any interface on the system.

Capture files can be saved but they will be stored on pfSense, you can copy them to another computer using SCP.

If you're not familiar with Wireshark there are several great resources on the web such as the beginners guide to Wireshark.


You receive the error "Gtk-WARNING **: cannot open display: localhost:10"

If you get this error make sure that Xming is running. If the message says "cannot open display" but it's not followed by "localhost:10" then make sure that X11 forwarding is enabled from within putty.

Check to see if the display variable is set

A quick way to make sure the display variable has been set is to run the command 'echo $DISPLAY'. If you see a message that says the variable has not been defined then make sure the changes were applied to the /root/.tcshrc file.

Putty is unable to connect

If you're not able to establish an SSH connection make sure that the secure shell server is enabled. The server setting can be found in the advanced configuration page which is found on the system menu. The setting for SSH is on the first tab which is called admin access.

After editing this file you must close your SSH session and log in again since the file is only executed when a user logs in.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2012 Sam Kear


    0 of 8192 characters used
    Post Comment
    • jponiato profile image

      Joe Poniatowskis 

      8 weeks ago from Mid-Michigan

      This is a great overview. You just don't see this much detail and information in most technical articles these days.

    • skear profile imageAUTHOR

      Sam Kear 

      6 years ago from Kansas City

      @Jacob - Which version of pfSense are you running?

    • profile image

      Jacob Egan 

      6 years ago

      This does not working - missing steps for libkrb5.s0.10 files


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)