On 3/2/10 7:59 AM, David Burgess wrote: > On Tue, Mar 2, 2010 at 8:54 AM, Hiren Joshi <[email protected]> wrote: > >> I'm using the "packet capture" bit in pfsense. Is there a way of doing >> this via the shell (I'm new to BSD, more of a Linux person) and leaving >> it running (filtered by hostname) for a few hours/days? This way I can >> dump it all and analyse it in wireshark. > > tcpdump. For example, > > tcpdump -i vr0 -n -w capture.pcap > > -i for the interface, -n to disable name resolution, capture.pcap is > the capture file. I'm not sure if you have to do anything special to > make it readable in wireshark.
No special treatment needed -- wireshark will take pcap files as input. However, you might want to bear a couple of things in mind: 1. By default, tcpdump grabs only the first 68 bytes of each packet. You can override this with the '-s' flag, for example with a switch such as '-s 1500'. This is essential if you need to see deeper into the packet but the tradeoff is increased processing time. If you just need TCP headers you shouldn't need this switch. 2. Depending on link utilization tcpdump can capture a *lot* of traffic. If you know you only want to see traffic from/to a specific host, or for a given protocol, there are filters you can add at the end of a tcpdump command to limit what it will capture -- and wireshark uses identical capture filter syntax. The tcpdump manpage or wireshark docs have more info. dn > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
