Using Wireshark with pfSense¶
Wireshark, formerly known as Ethereal, is a GUI protocol analysis and packet
capture tool that can be used to view and capture traffic much like
It is Open Source software, freely available at http://www.wireshark.org/. It
can also be used to analyze capture files generated by the pfSense WebGUI,
tcpdump, Wireshark, or any other software that writes files in the standard
pcap file format.
Viewing Packet Capture File¶
To view a capture file in Wireshark, start the program and then go to File >
Open. Locate the capture file, and then click the Open button. A file with
.pcap extension can also be opened by double clicking on it in Windows, OS
X, and many Linux distributions with default settings after the Wireshark
installation. A screen similar to Figure Wireshark Capture View
will be shown in which the data from the capture file is displayed.
As seen in Figure Wireshark Capture View, a list summarizing the packets in the capture file will be shown in the top list, with one packet per line. If there are too many, the results can be filtered using the Filter box on the toolbar. When a packet is clicked, the lower frames will show the details of what is contained within the packet payload. The first lower pane shows a break-down of the packet’s structure, and each of these items can be expanded for more detail. If the packet is of a supported protocol, in some cases it can interpret the data and show even more details. The bottom pane shows a hexadecimal and ASCII representation of the data contained in the packet.
Viewing the capture this way, it is easy to see the flow of traffic with as much or as little detail as needed.
Wireshark Analysis Tools¶
While some problems will require considerable knowledge of how the underlying protocols function, the analysis tools built into Wireshark helps lessen that need for many protocols. Under the Analyze and Statistics menus, a few options are present that automate some of the analysis and provide summarized views of what is contained in the capture. The Expert Info options under the Analyze menu show a list of Errors, Warnings, Notes and network conversations contained in the capture.
Errors may be seen in Wireshark for incorrect checksums. This is because most NICs add the checksum in hardware directly before putting it on the wire. This is the only exception to the earlier note saying what is shown in a packet capture is what is on the wire. Traffic sent out from the system where the capture is taken will have incorrect checksums where they are performed in hardware, though traffic coming in from a remote system should always have correct checksums. Checksum offloading can be turned off to ensure traffic is shown exactly as the host is putting it on the wire, though usually this is something to be ignored. To verify checksums, capture traffic from another system using a network tap or switch span port. Span ports can also be setup on bridges in pfSense, see Span Port for more information.
The Telephony menu is one example of automated analysis Wireshark can perform to make it easy to see problems with VoIP. In this particular case, VoIP traffic was traversing a MPLS WAN circuit with the provider’s routers attached to an OPT interface of pfSense on both sides. A capture from the OPT interface on the initiating end showed no loss, indicating the traffic was being sent to the provider router, but the OPT interface on the opposite end showed considerable packet loss in one direction when multiple simultaneous calls were active. These packet captures helped convince the provider of a problem on their network, and they found and fixed a QoS configuration problem on their side. When viewing a packet capture containing RTP traffic, click Telephony > RTP > Show all streams to see this screen.
Remote Realtime Capture¶
From a UNIX host that has Wireshark available, a realtime remote capture can be run by redirecting the output from an SSH session. This has been tested and known to work on FreeBSD and Ubuntu-based Linux distributions.
In order to use this technique, SSH must be enabled on the pfSense system and an
SSH key is required (see Secure Shell (SSH)). The key must first be loaded into
ssh-agent or generated without a passphrase because the redirection will not
allow a password or passphrase to be entered. Using
ssh-agent is the best
practice, as any key without a passphrase is very insecure.
Before attempting this technique, check that the user can connect to the pfSense
firewall using an SSH key without needing to type the passphrase. The first time
the user connects, they are prompted to save the host key, so that must also be
done before trying to start wireshark.
ssh-agent may also be started from a
terminal window or shell like so:
# eval ssh-agent Agent pid 29047 # ssh-add Enter passphrase for /home/jimp/.ssh/id_rsa: Identity added: /home/jimp/.ssh/id_rsa (/home/jimp/.ssh/id_rsa)
Then start an SSH session as usual:
# ssh firstname.lastname@example.org The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. DSA key fingerprint is 9e:c0:b0:5a:b9:9b:f4:ec:7f:1d:8a:2d:4a:49:01:1b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (DSA) to the list of known hosts. *** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on clara *** [...]
After confirming the SSH connection works, start the remote capture as follows:
# wireshark -k -i <(ssh email@example.com tcpdump -i igb1 -U -w - not tcp port 22)
192.168.1.1 with the IP address of the pfSense firewall. The
tcp port 22 filter excludes traffic from the SSH session, which will otherwise
clog the capture output. The above is written in BASH style syntax, but may work
with other shells. Adjust the
tcpdump arguments for the interface, and add
additional expressions. The
-w - are necessary so that it writes
the output to
stdout, and writes each packet as it arrives.
See also the Capture Setup/Pipes page on the Wireshark wiki for other related techniques.