pfSniffer? A non-firewall use for pfSense
Several years ago my company looked into getting Distributed Sniffer Appliances, made by Network General. These are devices that attach to an Ethernet segment (at a branch office) and allow you to remotely connect and pull traces. Ideally, we would have loved to have these in each remote location so that we could more easily troubleshoot problems that seemed to crop up regularly. They looks like very nice appliances, but Network General wanted an arm and a leg for each one, so we passed.
We recently had a need for this sort of thing and I had a great idea. Many months ago, I noticed that pfSense had added a very nifty feature called Packet Capture. Essentially, the pfSense WebGUI has an interface to tcpdump, allowing you to put in some simple filter criteria (source/destination IP Address) and have a trace executed on a particular interface. This is a really nice feature for troubleshooting your firewall, but I thought that this could be used to make a distributed “pfSniffer”.
Using standard desktop PCs, we added a NIC, loaded pfSense, then configured it so that the WAN interface allows all traffic incoming. The LAN interface has a “fake” IP subnet assigned and everything is blocked incoming. Both of these NICs are attached to the same physical network. The WAN interface is given the default gateway pointing to that location’s router (we have a private WAN). We keep careful track of the switch and port where the LAN interface is attached. When we need to trace something it’s a simple matter of mirroring the desired port to the port containing our “pfSniffer” LAN interface. Then, just web into pfSense, perform a trace, and download it via Firefox. Assuming WireShark is installed on the workstation that you are connecting in from, when you select the download button, it launches WireShark and loads the trace right up.
Sure, it’s not as slick as Network General’s Distributed Sniffer appliance, but it works very well and the price is exactly what we had budgeted! Prior to this idea, we were planning to just install a desktop with Wireshark in every location and remote control it when we needed to troubleshoot. When this was suggested to me, though, I thought that combing through a trace of any significant size over a slow WAN link would be annoying, plus you’ve have to filter out the remote control traffic unless you installed a second NIC in the desktop. Not to mention the fact that it would be another machine to keep patched and updated with the latest version of Wireshark everywhere. Lastly, machines loaded with Windows that weren’t obviously in-use might have a tendency to get used as a spare workstation.
Anyhow, we’ve installed them in a few offices so far and have been very happy with the results.
Entry filed under: Networking.