Packet Capture GUI

The pfSense® software GUI offers an easy-to-use front end to tcpdump that performs packet captures which can then be viewed in the GUI or downloaded for deeper analysis using utilities such as Wireshark.

This feature is located at Diagnostics > Packet Capture.

Due to the simplicity of the GUI, it can only offer a few options for filtering desired traffic. Even with its limitations, the GUI is sufficient for the capturing needs of most users.

See also

If the options available in the GUI are too limiting, skip ahead to Using tcpdump on the command line.

Packet Capture GUI Options

Interface

The network interface from which tcpdump will capture packets. Each assigned interface on the firewall appears in the list, along with entries for IPsec and OpenVPN instances.

Enable Promiscuous Mode

When checked, a capture includes all traffic arriving on the network interface for any destination MAC Address.

Without promiscuous mode the capture can only include traffic to/from the firewall itself as well as broadcast and multicast traffic.

Note

This option is unchecked by default because certain interface drivers and chipsets do not handle promiscuous mode well.

Address Family

Limits the capture to only IPv4 or only IPv6 traffic. This is useful when not filtering by IP address (e.g. by port number or MAC address).

Protocol

Limits the capture to only packets for specific protocols. This GUI option includes common protocols such as TCP, UDP, ICMP, ICMP6, CARP and others, and an exclusion option for each.

The GUI will reject attempts to submit an invalid combination (e.g.IPv4 only and ICMP6).

Host Address

Filters traffic going to or from a specific IP address (x.x.x.x), CIDR-masked subnet (x.x.x.x/yy), or MAC address. Leave the field blank to capture traffic to and from any host.

Enter MAC addresses in colon-separated format, such as xx:xx:xx:xx:xx:xx. To match a partial address, use one (xx), two (xx:xx), or four (xx:xx:xx:xx) segments in the same colon-separated format.

This field supports a few types of logic operations:

Exclusions

Prefix an address with ! to exclude it from a capture.

Boolean AND

Join two addresses with a comma (,) to capture traffic between only the specified hosts (e.g. x.x.x.x,y.y.y.y).

Boolean OR

Join two or more hosts with a pipe (|) to capture traffic to or from any of the specified hosts (e.g. x.x.x.x|y.y.y.y|z.z.z.z).

Port

Fill in a port number to limit the capture to only TCP or UDP matching the specified port as a source or destination port.

The same logic operators from Host Address work here as well.

Packet Length

Sets the portion, in bytes, of each packet to capture.

In most cases the best practice is to capture the full packet (0), but for captures run over longer periods of time where the headers matter more than the payload of the packets, limiting this to 64 bytes or so will result in a much smaller capture file that may still have adequate data for troubleshooting purposes.

Count

Determines the total number of packets to capture before the capture stops automatically.

Captures may be “noisy” if they are not limited in some way. To get a usable result in these cases, increase this value beyond the default of 100 to a much higher amount such as 1000 or 10000.

Level of Detail

Selects the amount of detail to display in the GUI when viewing a capture.

This option does not change the level of detail contained inside the capture file.

This value can be changed at any time, even for past captures. Change the value and click fa-file-text-o View Capture to display the capture with the new detail level.

Reverse DNS Lookup

Causes tcpdump to perform a reverse DNS lookup on hosts included in the packet capture.

Warning

Avoid using this option when possible as it will delay the output due to the extra time taken by reverse DNS lookups. Also, it is typically easier to troubleshoot when viewing IP addresses instead of hostnames, and reverse DNS can be inaccurate.

Performing a Packet Capture

To make a packet capture in the GUI:

  • Navigate to Diagnostics > Packet Capture

  • Configure the options on the page as described in Packet Capture GUI Options

  • Click fa-play-circle Start to begin capturing packets.

    The page will display “Packet Capture is running” across the bottom, indicating the capture is in process.

  • Click fa-stop-circle Stop to manually end the capture and view the output.

    If the capture has a maximum packet Count set it will stop automatically when it reaches that count. In this case the capture does not need a manual stop action unless it must be stopped before reaching that count.

Viewing the Captured Data

The capture output can be viewed in the GUI or downloaded for later viewing in a program such as Wireshark.

  • Navigate to Diagnostics > Packet Capture

  • Set the Level of detail to show from the capture data

  • Click fa-file-text-o View Capture

    The page displays the output in a field titled Packets Captured in standard tcpdump format.

    Note

    If the View Capture button is not visible on the page, there is no existing capture data to view. Perform a new capture first.

  • Click fa-download Download Capture to download this file for later viewing (Optional).

    See also

    For more detail on using Wireshark to view a capture file, see Viewing a Packet Capture File.