From PFSense manual:
WebGUI Packet Captures
You can perform a capture from within the WebGUI under Diagnostics > Packet Capture. The settings work just as they would with tcpdump. The capture can be viewed in the GUI or downloaded for later viewing with tcpdump or Wireshark.tcpdump
tcpdump comes installed with pfSense. You can use tcpdump from the pfsense Diagnostics drop down menu. Select Command and run your dump.Another way is to SSH into a shell and run tcpdump. In this example a method of capturing traffic other than SSH, ARP, DNS and STP is highlighted. The capture will be directed to a file called Sniff_output in the current directory.
tcpdump -i fxp0 not port 22 and not port 53 and not arp and not stp >> Sniff_output
The -i is designating traffic from the fxp0 interface. In this example traffic from one of the subnets fxp0 connected to pfSense is being grabbed.
To automate this capture you can place the tcpdump in a file, make that file executable; chmod U+x, and place it in /usr/local/etc/rc.d. When pfsense comes up your script should start automatically.
iftop
A second method of sniffing traffic via a shell is with iftop. The method of installing iftop is highlighted on this wiki page Add_Packages.iftop will allow you to designate the interface from which you would like to grab traffic. In this example fxp1 is the LAN Interface
iftop -i fxp1
Sample Output
cf-in-f18.google.com => 192.168.1.245 0b
<= 0b
cf-in-f97.google.com => 192.168.1.245 0b
<= 0b
cf-in-f103.google.com => 192.168.1.245 0b
<= 0b
google.navigation.opendns.com => 192.168.1.245 0b
<= 0b
No comments:
Post a Comment