Packet Capturing

Capturing packets is the most effective means of troubleshooting problems with network connectivity. Packet capturing, also known as “sniffing”, shows packets “on the wire” coming in and going out of an interface. Observing how traffic is sent and received by the firewall is a great help in narrowing down problems with firewall rules, NAT entries, and other networking issues. This chapter covers obtaining packet captures from the pfSense® WebGUI, with tcpdump at the command line in a shell, and using Wireshark.

Capture frame of reference

Keep in mind that packet captures show exactly what is on the wire. A packet capture is the first process to see traffic when receiving packets and last to see traffic when sending packets as they flow through the firewall. It sees traffic before firewall, NAT, and all other processing on the firewall happens for traffic coming into that interface, and after all that processing occurs for traffic leaving that interface. For incoming traffic, captures will show traffic that arrives on an interface on the firewall regardless of whether that traffic will be blocked by the firewall configuration. Figure Capture Reference illustrates where tcpdump and also the WebGUI packet capture interface ties into the processing order.


Capture Reference