Often the most effective way of troubleshooting a networking problem is through packet capturing, also known as packet sniffing. One way of capturing packets is to use the command-line tool tcpdump, which is part of the default pfSense installation. tcpdump is a command-line utility used to capture and analyze packets; details can either be displayed on the screen or saved to a file. It uses the libpcap library for packet capturing.

The results of packet capture will differ depending on which interface's traffic you capture. As a result, you should give some consideration as to which interface's traffic you choose to capture, and in some cases, you may want to capture traffic from several interfaces at the same time. In order to use tcpdump, you will have to use the underlying device names of the interfaces. If you don't remember what they are, you can navigate to Interfaces | (assign) within the web GUI. The console menu also lists each interface and has a separate column for the device name. Another way of retrieving a list of interface names is to issue to following command from the console shell:

tcpdump –D

Then, to run tcpdump on a single interface, type the following:

tcpdump –iinterface_name

Here, interface_name is the device name (for example, fxp0, em1, and so on). Alternatively, you can run tcpdump without any command-line options to capture packets from all interfaces.

If you run tcpdump, you may notice that the hostname of the source and destination is displayed. By default, tcpdump does a DNS lookup on IP addresses. As a result, tcpdump can generate a considerable amount of DNS traffic; however, you can prevent this. By default, tcpdump runs continuously until you press Ctrl + C, but you can limit the number of packets captured with the –c option, for example:

tcpdump –c 10

This will cause tcpdump to capture 10 packets and then stop running. The default maximum capture size for each packet is 64 K, but in many cases, you may only want to see what's in the header. You can use the –s parameter to limit the amount of each packet captured, for example:

tcpdump –s 96

This will only capture the first 96 bytes of each packet.

tcpdump allows you to save packet capture files in pcap format for later analysis.

This is useful, especially if you want to load the files onto another computer running Wireshark or some other graphical network protocol analyzer. To save the output to a file, use the –w option, like this:

tcpdump –w filename

Be aware that when you are using this option, the frames will not be displayed on the screen, as they otherwise would be. Also, be aware that the file will be saved in pcap (packet capture), rather than ASCII, format. 

By default, tcpdump puts your network interface into promiscuous mode so that shows every frame on the wire, not just frames being sent to its MAC address. In modern networks, this should not be much of a problem, as most networks employ switches, and the interface generally will only receive traffic it should receive. If you have hubs on your network, however, running tcpdump in promiscuous mode can result in you capturing a great deal of traffic that may not be of interest to you. By using the –p option, which runs tcpdump in non-promiscuous mode, you can improve the signal-to-noise ratio and focus on traffic destined for the interface on which you are capturing packets.

You can control the verbosity of tcpdump's output with the –v flag. This flag only controls the output on the screen and not the contents of tcpdump output saved to a file (assuming that output is being saved). In addition to –v, you may also choose –vv or –vvv, which provides additional verbosity for screen output. If you invoked the –w option to write to a file along with one of the verbosity options, then tcpdump will report the number of packets captured at 10-second intervals.

The –e option causes tcpdump to display the MAC addresses of the source and destination of the packet as well as 802.1Q VLAN tag information.

You may notice that tcpdump displays packet sequence numbers. You may also notice that when displaying multiple packets from the same source/destination, the first packet in a series of packets has large sequence numbers, but all subsequent packets have smaller numbers. This is because tcpdump switches to relative sequence numbers in order to save display space. To see only actual sequence numbers, use the –S flag.

If you want a simple frontend for tcpdump, you can use the tcpdump page in the web GUI instead. To do so, navigate to Diagnostics | Packet Capture. Once there, use the Interface drop-down box to select the interface whose packets will be captured (note that there does not seem to be an option to capture all interfaces on this page). Checking the Promiscuous checkbox enables promiscuous mode. The Address Family drop-down box allows you to select IPv4 packets, IPv6 packets, or both. The Protocol drop-down box has several options: you can capture any packets (Any), or the following: ICMP, Exclude ICMP, ICMPv6, Exclude ICMPv6, TCP, Exclude TCP, UDP, Exclude UDP, ARP, Exclude ARP, CARP, Exclude CARP, pfsync, Exclude pfsync, ESP, and Exclude ESP.

The Host Address edit box allows you to specify a source or destination IP address or subnet (in CIDR notation). Tcpdump will look for the address specified in either field. You can negate the IP address by preceding the value with !, in which case tcpdump will match everything except the IP address. Multiple IP addresses or CIDR subnets may be specified here; comma separated values (,) perform a Boolean AND, while separating addresses with a pipe (|) performs a Boolean OR. If this field is left blank, then all packets on the specified interface that meet the other criteria specified will be captured, regardless of the source or destination IP address.

If you specify a port in the Port edit box, tcpdump will look for the port in either field. If you leave this field blank, tcpdump will not filter by port. The Packet Length edit box lets you specify the number of bytes of each packet that will be captured. The default value is 0, which will cause the entire frame to be captured. The Count edit box allows you to specify the number of packets tcpdump will grab. The default value is 100; specifying 0 will result in tcpdump continuously capturing packets.

The Level of detail drop-down box controls the amount of detail that will be displayed after you hit Stop when packets have been captured. The options are Normal, Medium, High, and Full. This option does not affect the level of detail in the packet capture file if you choose to download it when the packet capture completes.

The Reverse DNS Lookup checkbox, if checked, will result in tcpdump performing a reverse DNS lookup on all IP addresses. As noted when discussing the command-line options for tcpdump, doing a reverse DNS lookup generates considerable DNS traffic and also creates delays, and therefore is not generally recommended. When you are done selecting options on this page, click on the Start button.

Once you click on Start, you should see a Packet capture is running message across the bottom of the page, and the Start button should become a Stop button. Once you click on the Stop button, a Packets Captured listbox will appear at the bottom of the page with information about the packets captured. You can change the level of detail by changing the value in the Level of Detail edit box and clicking on View Capture to update the display. Finally, you can save the packet capture by clicking on the Download Capture button; this will save the capture as a .cap file which can be opened by many network protocol analyzers such as Wireshark.