Packet Capture GUI

The pfSense® software GUI offers an easy-to-use front end to tcpdump that performs packet captures which can then be viewed in the GUI or downloaded for deeper analysis using utilities such as Wireshark.

This feature is located at Diagnostics > Packet Capture.

See also

If the options available in the GUI are too limiting, skip ahead to Using tcpdump on the command line.

Packet Capture Options

Interface:

The network interface from which tcpdump will capture packets. Each assigned and unassigned interface on the firewall appears in the list, excluding special interfaces such as pfsync0 and pflog0.

Packet Capture Filter:

Selects a filter option or preset for the packet capture. Selecting a preset filter will hide the Custom Filter Options section.

Custom Filter

Enter custom values to limit captures.

Everything

Will capture any packet.

Only Untagged

Will exclusively capture any packets which are not VLAN-tagged.

Only Tagged

Will exclusively capture any packets which are VLAN-tagged.

Packet Count:

Determines the total number of packets to capture before the capture stops automatically.

Captures may be “noisy” if they are not limited in some way. To get a usable result in these cases, increase this value beyond the default of 1000 to a much higher amount such as 10000.

Packet Length:

Sets the portion, in bytes, of each packet to capture.

In most cases the best practice is to capture the full packet (0), but for captures run over longer periods of time where the headers matter more than the payload of the packets, limiting this to 64 bytes or so will result in a much smaller capture file that may still have adequate data for troubleshooting purposes.

Promiscuous Mode:

When checked, a capture includes all traffic arriving on the network interface for any destination MAC Address.

Without promiscuous mode the capture can only include traffic to/from the firewall itself as well as broadcast and multicast traffic.

Warning

Some interface drivers and chipsets do not handle promiscuous mode well.

View Detail:

Selects the amount of detail to display in the GUI when viewing a capture.

Note

View options (including Name Lookup) do not affect the packet capture file itself, and may be changed before or after the packet capture. Change the value and click fa-file-lines View to display the capture with the new view option.

View Type:

Force the captured traffic to be interpreted as the specified type when viewed. This is particularly helpful when viewing CARP traffic.

Name Lookup:

Causes tcpdump to perform a name lookup for the port and host address, including the MAC OUI.

Warning

Avoid using this option when possible as it will delay the output due to the extra time taken by reverse DNS lookups. Also, it is typically easier to troubleshoot when viewing IP addresses instead of hostnames, and reverse DNS can be inaccurate.

Custom Filter Options

Filter Sections

Filter options are separated into two sections, untagged and tagged. Each section may be individually included or excluded in the packet capture. This is useful in the case where both untagged and some other tagged traffic need to be captured. The available filter sections are:

Untagged Filter

Values entered in this section will only apply to packets which do not have a VLAN tag.

Tagged Filter

Values entered in this section will only apply to packets which have a VLAN tag set.

Multiple Values and Filter Operators

All input fields accept multiple space-separated values. When multiple values are specified, the drop-down menu for each option has an operator which defines the behavior:

all of

Captures only packets that match all of the values specified in this single filter option.

any of

Captures packets that match any of the values specified in this single filter option.

none of

Captures packets that do not match the values specified in this single filter option.

OR <type>

Places a logocal “or” between multiple separate filter options (e.g. a given host IP address or a given MAC address)

Filter Options

The following fields are available for filtering in the Untagged and/or Tagged filter option groups:

Include/Exclude:

Defines how the GUI handles packets and options in a section (untagged, tagged):

Include any of

Enables the filter options for this section and includes packets of this type provided they match the defined criteria.

Exclude all

Disables the filter options for this section and excludes all packets of this type.

VLAN Tag:

Match traffic that is tagged with the specified VLAN tags. This is particularly useful when capturing on a trunk interface and not all VLANs need to be captured.

VLAN Tag Level:

Which VLAN tag stack level to apply the filter to. This is useful when filtering QinQ traffic.

Host Address or Subnet:

Filters traffic going to or from specific IP addresses (x.x.x.x) or CIDR-masked subnets (x.x.x.x/yy).

Host MAC Address:

Filters traffic going to or from specific MAC addresses.

Enter MAC addresses in colon-separated format, such as xx:xx:xx:xx:xx:xx. To match a partial address, use one (xx), two (xx:xx), or four (xx:xx:xx:xx) segments in the same colon-separated format.

Protocol:

Limits the capture to packets for specific protocols. The drop-down option in the GUI includes common protocols such as TCP, UDP, ICMP, ICMP6, CARP, but any protocols may be specified manually by number or name.

Port Number:

Limits the capture to packets with the specified source or destination port. Only effective on protocols which have ports (TCP, UDP).

Ethertype:

May be used to limit the capture to only IPv4, IPv6, or ARP traffic. This is useful when not filtering by IP address (e.g. by port number or MAC address).

Performing a Packet Capture

To make a packet capture in the GUI:

  • Navigate to Diagnostics > Packet Capture

  • Configure the options on the page as described in Packet Capture Options

  • Click fa-play-circle Start to begin capturing packets.

    The page will display a live preview of the captured packets which refreshes every few seconds. The resulting tcpdump command is also shown, along with the message “Running packet capture” indicating the capture is in process.

  • Click fa-stop-circle Stop to manually end the capture and view the output.

    If the capture has a maximum packet Count set it will stop automatically when it reaches that count. In this case the capture does not need a manual stop action unless it must be stopped before reaching that count.

Viewing the Captured Data

The capture output can be viewed in the GUI or downloaded for later viewing in a program such as Wireshark.

  • Navigate to Diagnostics > Packet Capture

  • Set the View Options (Packet Capture Options) to control how the GUI displays the contents of the capture.

  • Click fa-file-lines View

    The page displays the output in a field titled Packet Capture Output in standard tcpdump format.

    Note

    If the View button is not visible on the page, there is no existing capture data to view. Perform a new capture first.

  • Click fa-download Download to download this file for later viewing (Optional).

    See also

    For more detail on using Wireshark to view a capture file, see Viewing a Packet Capture File.