Packet Capture GUI¶
The pfSense® software GUI offers an easy-to-use front end to tcpdump
that
performs packet captures which can then be viewed in the GUI or downloaded for
deeper analysis using utilities such as Wireshark.
This feature is located at Diagnostics > Packet Capture.
Due to the simplicity of the GUI, it can only offer a few options for filtering desired traffic. Even with its limitations, the GUI is sufficient for the capturing needs of most users.
See also
If the options available in the GUI are too limiting, skip ahead to Using tcpdump on the command line.
Packet Capture GUI Options¶
- Interface
The network interface from which
tcpdump
will capture packets. Each assigned interface on the firewall appears in the list, along with entries for IPsec and OpenVPN instances.- Enable Promiscuous Mode
When checked, a capture includes all traffic arriving on the network interface for any destination MAC Address.
Without promiscuous mode the capture can only include traffic to/from the firewall itself as well as broadcast and multicast traffic.
Note
This option is unchecked by default because certain interface drivers and chipsets do not handle promiscuous mode well.
- Address Family
Limits the capture to only IPv4 or only IPv6 traffic. This is useful when not filtering by IP address (e.g. by port number or MAC address).
- Protocol
Limits the capture to only packets for specific protocols. This GUI option includes common protocols such as TCP, UDP, ICMP, ICMP6, CARP and others, and an exclusion option for each.
The GUI will reject attempts to submit an invalid combination (e.g.IPv4 only and ICMP6).
- Host Address
Filters traffic going to or from a specific IP address (
x.x.x.x
), CIDR-masked subnet (x.x.x.x/yy
), or MAC address. Leave the field blank to capture traffic to and from any host.Enter MAC addresses in colon-separated format, such as
xx:xx:xx:xx:xx:xx
. To match a partial address, use one (xx
), two (xx:xx
), or four (xx:xx:xx:xx
) segments in the same colon-separated format.This field supports a few types of logic operations:
- Exclusions
Prefix an address with
!
to exclude it from a capture.- Boolean AND
Join two addresses with a comma (
,
) to capture traffic between only the specified hosts (e.g.x.x.x.x,y.y.y.y
).- Boolean OR
Join two or more hosts with a pipe (
|
) to capture traffic to or from any of the specified hosts (e.g.x.x.x.x|y.y.y.y|z.z.z.z
).
- Port
Fill in a port number to limit the capture to only TCP or UDP matching the specified port as a source or destination port.
The same logic operators from Host Address work here as well.
- Packet Length
Sets the portion, in bytes, of each packet to capture.
In most cases the best practice is to capture the full packet (
0
), but for captures run over longer periods of time where the headers matter more than the payload of the packets, limiting this to64
bytes or so will result in a much smaller capture file that may still have adequate data for troubleshooting purposes.- Count
Determines the total number of packets to capture before the capture stops automatically.
Captures may be “noisy” if they are not limited in some way. To get a usable result in these cases, increase this value beyond the default of
100
to a much higher amount such as1000
or10000
.- Level of Detail
Selects the amount of detail to display in the GUI when viewing a capture.
This option does not change the level of detail contained inside the capture file.
This value can be changed at any time, even for past captures. Change the value and click
View Capture to display the capture with the new detail level.
- Reverse DNS Lookup
Causes
tcpdump
to perform a reverse DNS lookup on hosts included in the packet capture.Warning
Avoid using this option when possible as it will delay the output due to the extra time taken by reverse DNS lookups. Also, it is typically easier to troubleshoot when viewing IP addresses instead of hostnames, and reverse DNS can be inaccurate.
Performing a Packet Capture¶
To make a packet capture in the GUI:
Navigate to Diagnostics > Packet Capture
Configure the options on the page as described in Packet Capture GUI Options
Click
Start to begin capturing packets.
The page will display “Packet Capture is running” across the bottom, indicating the capture is in process.
Click
Stop to manually end the capture and view the output.
If the capture has a maximum packet Count set it will stop automatically when it reaches that count. In this case the capture does not need a manual stop action unless it must be stopped before reaching that count.
Viewing the Captured Data¶
The capture output can be viewed in the GUI or downloaded for later viewing in a program such as Wireshark.
Navigate to Diagnostics > Packet Capture
Set the Level of detail to show from the capture data
Click
View Capture
The page displays the output in a field titled Packets Captured in standard
tcpdump
format.Note
If the View Capture button is not visible on the page, there is no existing capture data to view. Perform a new capture first.
Click
Download Capture to download this file for later viewing (Optional).
See also
For more detail on using Wireshark to view a capture file, see Viewing a Packet Capture File.