pfSniffer? A non-firewall use for pfSense

April 22, 2008 at 9:10 pm 3 comments

Several years ago my company looked into getting Distributed Sniffer Appliances, made by Network General. These are devices that attach to an Ethernet segment (at a branch office) and allow you to remotely connect and pull traces. Ideally, we would have loved to have these in each remote location so that we could more easily troubleshoot problems that seemed to crop up regularly. They looks like very nice appliances, but Network General wanted an arm and a leg for each one, so we passed.

We recently had a need for this sort of thing and I had a great idea. Many months ago, I noticed that pfSense had added a very nifty feature called Packet Capture. Essentially, the pfSense WebGUI has an interface to tcpdump, allowing you to put in some simple filter criteria (source/destination IP Address) and have a trace executed on a particular interface. This is a really nice feature for troubleshooting your firewall, but I thought that this could be used to make a distributed “pfSniffer”.

Using standard desktop PCs, we added a NIC, loaded pfSense, then configured it so that the WAN interface allows all traffic incoming. The LAN interface has a “fake” IP subnet assigned and everything is blocked incoming. Both of these NICs are attached to the same physical network. The WAN interface is given the default gateway pointing to that location’s router (we have a private WAN). We keep careful track of the switch and port where the LAN interface is attached. When we need to trace something it’s a simple matter of mirroring the desired port to the port containing our “pfSniffer” LAN interface. Then, just web into pfSense, perform a trace, and download it via Firefox. Assuming WireShark is installed on the workstation that you are connecting in from, when you select the download button, it launches WireShark and loads the trace right up.

Sure, it’s not as slick as Network General’s Distributed Sniffer appliance, but it works very well and the price is exactly what we had budgeted! Prior to this idea, we were planning to just install a desktop with Wireshark in every location and remote control it when we needed to troubleshoot. When this was suggested to me, though, I thought that combing through a trace of any significant size over a slow WAN link would be annoying, plus you’ve have to filter out the remote control traffic unless you installed a second NIC in the desktop. Not to mention the fact that it would be another machine to keep patched and updated with the latest version of Wireshark everywhere. Lastly, machines loaded with Windows that weren’t obviously in-use might have a tendency to get used as a spare workstation.

Anyhow, we’ve installed them in a few offices so far and have been very happy with the results.

About these ads

Entry filed under: Networking. Tags: .

Send in the Mac clones? SageTV vs. BeyondTV, Take 2

3 Comments Add your own

  • […] We recently had a need for this sort of thing and I had a great idea. Many months ago, I noticed that pfSense had added a very nifty feature called Packet Capture. Essentially, the pfSense WebGUI has an interface to tcpdump, allowing you to put in some simple filter criteria (source/destination IP Address) and have a trace executed on a particular interface. This is a really nice feature for troubleshooting your firewall, but I thought that this could be used to make a distributed “pfSniffer”. More… […]

    Reply
  • […] Jack of All IT posted an interesting use for pfSense, as a dedicated sniffer box. 1.3 allows the configuration of just one network interface, so uses like this will be even easier in the future.  […]

    Reply
  • 3. The Cruft Of My Brain » Cheap remote sniffer  |  August 11, 2009 at 10:20 am

    […] comment 0Digg meLooking for a cheap and reliable way of doing packet capture remotely. I found this reference to using PFSense and it looks like a pretty slick idea. I was quite happy with PFSense when I was […]

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Calendar

April 2008
S M T W T F S
« Mar   Jun »
 12345
6789101112
13141516171819
20212223242526
27282930  

Most Recent Posts


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: