Re: [pfSense] Packet capture

Sun, 28 Apr 2013 09:46:47 -0700 

Yes the interface for packet capture is nice for a interactive quick look, but
it is not a solution for an automated ingest system for 24x7 capture.
 
regarding the logs:
 
{mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule 23/0(match):
block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags [DF], proto UDP
(17), length 66)

{mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 > 67.90.184.35.53:
952+ [1au] ANY? ripe.net. (38)

the detail is insufficient. I tried  Show raw filter logs, but there does not
seem to be any apprciable difference. I have a backend system (IDS type of
thing) which ingests pcap data as well as syslog, in this case the syslog from
the pfSesne is to light weight.

can I sniff the bridge [BRIDGE0]?

-Jason




  _____  

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On
Behalf Of Trevor Benson
Sent: Sunday, April 28, 2013 10:14
To: pfSense support and discussion
Subject: Re: [pfSense] Packet capture



Have you tried using the built in packet capture under diagnostics? This will
clean up your ssh traffic, which is what I assume you mean by tcpdump recursice
traffic. Plus you can download a pcap to examine more closely in wireshark.

As for traffic denied by the firewall have you tried looking at the firewall
logs? 

Trevor


On Apr 28, 2013 5:47 AM, "Jason Pyeron" <jpye...@pdinc.us> wrote:


I am looking to capture all the packets that are traversing and attempting to
traverse the firewall.

If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN then I
only get the packets that made it past the firewall plus the recursive traffic
of my pcap data leaving the firewall too.

This is telling me I should be using another port, but still does not help me
separate the pcap data into 2 buckets:

1: blocked
2: not blocked

Any suggestions?
 

 
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us
<http://www.pdinc.us/>  -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to