Packet Capture GUI¶
The pfSense® software GUI offers an easy-to-use front end to
performs packet captures which can then be viewed in the GUI or downloaded for
deeper analysis using utilities such as Wireshark.
This feature is located at Diagnostics > Packet Capture.
If the options available in the GUI are too limiting, skip ahead to Using tcpdump on the command line.
Packet Capture Options¶
The network interface from which
tcpdumpwill capture packets. Each assigned and unassigned interface on the firewall appears in the list, excluding special interfaces such as
- Packet Capture Filter
Selects a filter option or preset for the packet capture. Selecting a preset filter will hide the Custom Filter Options section.
- Custom Filter
Enter custom values to limit captures.
Will capture any packet.
- Only Untagged
Will exclusively capture any packets which are not VLAN-tagged.
- Only Tagged
Will exclusively capture any packets which are VLAN-tagged.
- Packet Count
Determines the total number of packets to capture before the capture stops automatically.
Captures may be “noisy” if they are not limited in some way. To get a usable result in these cases, increase this value beyond the default of
1000to a much higher amount such as
- Packet Length
Sets the portion, in bytes, of each packet to capture.
In most cases the best practice is to capture the full packet (
0), but for captures run over longer periods of time where the headers matter more than the payload of the packets, limiting this to
64bytes or so will result in a much smaller capture file that may still have adequate data for troubleshooting purposes.
- Promiscuous Mode
When checked, a capture includes all traffic arriving on the network interface for any destination MAC Address.
Without promiscuous mode the capture can only include traffic to/from the firewall itself as well as broadcast and multicast traffic.
Some interface drivers and chipsets do not handle promiscuous mode well.
- View Detail
Selects the amount of detail to display in the GUI when viewing a capture.
View options (including
Name Lookup) do not affect the the packet capture file itself, and may be changed before or after the packet capture. Change the value and click View to display the capture with the new view option.
- View Type
Force the captured traffic to be interpreted as the specified type when viewed. This is particularly helpful when viewing CARP traffic.
- Name Lookup
tcpdumpto perform a name lookup for the port and host address, including the MAC OUI.
Avoid using this option when possible as it will delay the output due to the extra time taken by reverse DNS lookups. Also, it is typically easier to troubleshoot when viewing IP addresses instead of hostnames, and reverse DNS can be inaccurate.
Custom Filter Options¶
Filter options are separated into two sections, untagged and tagged. Each section may be individually included or excluded in the packet capture. This is useful in the case where both untagged and some other tagged traffic need to be captured. The available filter sections are:
- Untagged Filter
Values entered in this section will only apply to packets which do not have a VLAN tag.
- Tagged Filter
Values entered in this section will only apply to packets which have a VLAN tag set.
Multiple Values and Filter Operators¶
All input fields accept multiple space-separated values. When multiple values are specified, the drop-down menu for each option has an operator which defines the behavior:
- all of
Captures only packets that match all of the values specified in this single filter option.
- any of
Captures packets that match any of the values specified in this single filter option.
- none of
Captures packets that do not match the values specified in this single filter option.
- OR <type>
Places a logocal “or” between multiple separate filter options (e.g. a given host IP address or a given MAC address)
The following fields are available for filtering in the Untagged and/or Tagged filter option groups:
Defines how the GUI handles packets and options in a section (untagged, tagged):
- Include any of
Enables the filter options for this section and includes packets of this type provided they match the defined criteria.
- Exclude all
Disables the filter options for this section and excludes all packets of this type.
- VLAN Tag
Match traffic that is tagged with the specified VLAN tags. This is particularly useful when capturing on a trunk interface and not all VLANs need to be captured.
- VLAN Tag Level
Which VLAN tag stack level to apply the filter to. This is useful when filtering QinQ traffic.
- Host Address or Subnet
Filters traffic going to or from specific IP addresses (
x.x.x.x) or CIDR-masked subnets (
- Host MAC Address
Filters traffic going to or from specific MAC addresses.
Enter MAC addresses in colon-separated format, such as
xx:xx:xx:xx:xx:xx. To match a partial address, use one (
xx), two (
xx:xx), or four (
xx:xx:xx:xx) segments in the same colon-separated format.
Limits the capture to packets for specific protocols. The drop-down option in the GUI includes common protocols such as TCP, UDP, ICMP, ICMP6, CARP, but any protocols may be specified manually by number or name.
- Port Number
Limits the capture to packets with the specified source or destination port. Only effective on protocols which have ports (TCP, UDP).
May be used to limit the capture to only IPv4, IPv6, or ARP traffic. This is useful when not filtering by IP address (e.g. by port number or MAC address).
Performing a Packet Capture¶
To make a packet capture in the GUI:
Navigate to Diagnostics > Packet Capture
Configure the options on the page as described in Packet Capture Options
Click Start to begin capturing packets.
The page will display a live preview of the captured packets which refreshes every few seconds. The resulting
tcpdumpcommand is also shown, along with the message “Running packet capture” indicating the capture is in process.
Click Stop to manually end the capture and view the output.
If the capture has a maximum packet Count set it will stop automatically when it reaches that count. In this case the capture does not need a manual stop action unless it must be stopped before reaching that count.
Viewing the Captured Data¶
The capture output can be viewed in the GUI or downloaded for later viewing in a program such as Wireshark.
Navigate to Diagnostics > Packet Capture
Set the View Options (Packet Capture Options) to control how the GUI displays the contents of the capture.
The page displays the output in a field titled Packet Capture Output in standard
If the View button is not visible on the page, there is no existing capture data to view. Perform a new capture first.
Click Download to download this file for later viewing (Optional).
For more detail on using Wireshark to view a capture file, see Viewing a Packet Capture File.