When you are troubleshooting network problems, you may find it necessary to use packet capturing, which is also known as packet sniffing. One way you can perform packet capturing is to use tcpdump, which is a command-line tool. Rather conveniently, tcpdump is a command -line tool. It can be used to capture and analyze packets, and details can either be displayed on screen or saved to a file. tcpdump uses the libpcap library to implement its packet capturing functionality.
You should give consideration as to which interface’s traffic you want to capture, as the results can be very different depending on which interface you monitor. In many cases, you probably want to focus on a single interface, whereas in others, you may want to capture traffic from several interfaces simultaneously. To use tcpdump, you will have to know the underlying device names of the interfaces being monitored; if you do not remember what they are, navigate to Interfaces | (assign) and view them. You can also find out this information from the console menu, which lists each interface along with its device name. You can also issue the following command at the console shell to find the interface names:
tcpdump -D
To run tcpdump on a single interface, type this:
tcpdump -iinterface_name
In this case, interface_name is the device name (for example, fxp0). You can also run tcpdump without any command-line options; this will cause tcpdump to capture packets from all interfaces.
You might note that if you run tcpdump, it normally displays the hostname of both the source and the destination. This is because the default behavior of pfSense is to run a reverse DNS lookup on IP addresses. This means that tcpdump may be generating a considerable volume of DNS traffic that you don’t want. There are ways to limit this. You can, for example, limit the number of packets captured with the -c option. To limit the number of packets captured to 10, type the following:
tcpdump -c 10
The default maximum capture size for each packet is 64 K. However, you may only be interested in what is in the header. You can use the -s parameter to limit how many bytes of each packet is captured. To limit the bytes to 96, type the following code:
tcpdump -s 96
If you want to save packet capure files in pcap format for later analysis, you can so this as well. This can be helpful, especially if you have a graphical network protocol analyzer available on your PC. To save the output to a file, type the following code:
tcpdump -w filename
Be aware that tcpdump puts your network interface in promiscuous mode by default. Thus, it shows every frame on the wire, not just ones being sent to its MAC address. This is less of a problem with modern networks that use switches, and interfaces will generally only get traffic they should receive. If you find you are capturing a lot of traffic not of interest to you, however, you might want to use the p option, which allows you to run tcpdump in nonpromiscuous mode.
If you need to control the verbosity of tcpdump command's output, you can do so with the -v flag. This flag only controls the output of tcpdump on the screen and not the contents of tcpdump output that is being saved. You can also choose -vv or -vvv, which provides additional verbosity for screen output. If you invoke both one of the verbosity options and -w (to write to a file), tcpdump will report the number of packets captured every 10 seconds.
If you invoke the -e option, tcpdump will display the MAC addresses of the source and destination of the packet. It will also display 802.1Q VLAN tag information.
tcpdump displays packet sequence numbers. The first packet in a series of packets always has large sequence numbers; however, by default, all subsequent packets have smaller numbers. The reason for this is that tcpdump switches to relative sequence numbers when displaying multiple packets from the same source/destination to save display space. If you only want to see actual sequence numbers, use the -S flag.
If you want a simple frontend for tcpdump, you can get that from the web GUI by navigating to Diagnostics | Packet Capture. For the most part, it seems like the most common sense options are selected by default, regardless of the default of the command-line tcpdump utility. On that page, you can use the Interface drop-down box to choose the interface whose packets will be captured. Unfortunately, there does not seem to be an option to capture all interfaces. Enabling Promiscuous causes tcpdump to enter promiscuous mode. The Address Family dropdown allows you to select IPv4 or IPv6 packets (or both). The Protocol dropdown has several options in terms of which protocol’s packets you choose to capture.
The Host Address field allows you to specify a source or destination IP address or subnet; tcpdump will then look for the address specified in either field. You can also perform many Boolean operations on addresses: for example, you can negate the IP address and capture all packets except ones that have the IP address as their source or destination; you can perform a Boolean AND (by separating addresses by a comma), perform a Boolean OR (by separating addresses with a pipe).
If you specify a port in the Port edit box, tcpdump will filter by port, looking for the port you specify in either field. The Packet Length edit box lets you specify the number of bytes of each packet that will be captured (similar to the -s command-line option). The default value is 0, meaning that the entire packet will be capture. The Count field lets you set the number of packets tcpdump will capture. The default value is 100, whereas a value of 0 will cause tcpdump to continuously capture packets.
The Level of detail drop-down box is where you can select the amount of detail that will be displayed after you hit Stop when packets have been captured. This option does not, however, affect the level of detail in the packet capture file.
The Reverse DNS Lookup option, if enabled, will cause tcpdump to perform a reverse DNS lookup on all addresses. As noted before, this is generally not recommended because reverse DNS lookups can generate considerable DNS traffic. When you finish selecting options, click on the Start button.
When tcpdump is running, you should see a Packet capture is running message across the bottom of the page, and the Start button should become a Stop button. Once tcpdump is finished running, either because it has captured all the packets it was set to capture or because the Stop button was pressed, a Packets Captured listbox should appear with information about the packets captured. You can change the level of detain on the page by changing the Level of Detail value and clicking on the View Capture button. You can also save the packet capture by clicking on Download Capture.