Capturing packets is the most effective means of troubleshooting problems with
network connectivity. Packet capturing, also known as “sniffing”, shows packets
“on the wire” coming in and going out of an interface. Observing how traffic is
sent and received by the firewall is a great help in narrowing down problems
with firewall rules, NAT entries, and other networking issues. This chapter
covers obtaining packet captures from the pfSense® WebGUI, with
the command line in a shell, and using Wireshark.
Capture frame of reference¶
Keep in mind that packet captures show exactly what is on the wire. A packet capture is the first process to see traffic when receiving packets and last to see traffic when sending packets as they flow through the firewall. It sees traffic before firewall, NAT, and all other processing on the firewall happens for traffic coming into that interface, and after all that processing occurs for traffic leaving that interface. For incoming traffic, captures will show traffic that arrives on an interface on the firewall regardless of whether that traffic will be blocked by the firewall configuration. Figure Capture Reference illustrates where tcpdump and also the WebGUI packet capture interface ties into the processing order.