pfSniffer? A non-firewall use for pfSense

Jack of All IT posted an interesting use for pfSense, as a dedicated sniffer box. 1.3 allows the configuration of just one network interface, so uses like this will be even easier in the future. 

Share this Post:

7 Responses to “pfSniffer? A non-firewall use for pfSense”

  1. Adam Says:

    I also like the NTOP add in. This give me a general idea of the packets seen on an interface in a longer period of time. Works great for batching bandwidth abusers and those using protocols they shouldn’t really be using on our network…

  2. Wasca Says:

    Is NTOP still limited to only looking at traffic on the WAN and LAN?

    I have several OPT interfaces and another WAN, I’d love to use NTOP on all the interfaces.

  3. Bern Says:

    I recently did a consultancy job with a company that had appeared on all the DNS blacklists. Their admin guy didn’t realise that internal, random PCs were sending out on port 25.

    I put pfSense in as a transparent bridge, installed ntop and sat back…

    Within 30 minutes the rogue PC had attempted 18,000 SMTP sessions. Needless to say, that PC has been decommissioned and they’re now off the DNS blacklists.

    Hats off to pfSense for making the whole process so painless.

  4. Chris Buechler Says:

    Bern: that’s another cool non-firewall use, thanks for posting.

    Anyone else do anything “atypical” with pfSense? Please leave a comment.

  5. Sean Harlow Says:

    Here’s a trick I use for real-time monitoring of interfaces on *NIX boxes from other *NIX boxes (sorry Windows guys, your OS doesn’t seem to be able to pass arbitrary data as easily):

    First, I create a local FIFO to channel data through

    Phoenix:~ wolrah$ mkfifo /tmp/pcap

    Then I open up a SSH connection and have it fire up tcpdump, redirecting stdout to the FIFO

    Phoenix:~ wolrah$ ssh root@ “tcpdump -i eth0 -s 0 -w -” > /tmp/pcap

    -s 0 tells tcpdump to not truncate captured packets, -w – tells it to output raw pcap format data to stdout
    If you want to use capture filters, put them after the dash. If you’re capturing from the same interface you connect to the box over, you should at the very least have ‘not port 22’ or ‘not host x.x.x.x’ to prevent it from making an infinite loop of trying to capture and forward copies of its own packets. When capturing over a WAN, filter it as much as possible to minimize the amount of traffic you’re moving.

    At this point, the SSH session will be stalled as there’s nothing listening on the FIFO. Open up another terminal and kick off Wireshark, telling it to start “capturing” on the FIFO immediately.

    Phoenix:~ wolrah$ wireshark -k -i /tmp/pcap

    The SSH session should now finish connecting and ask for authentication if needed, once that’s taken care of you’ll see the normal tcpdump status output in the window hosting the connection and wireshark should start showing any captured packets.

    With some minor adjustments you can use the same trick with tshark or dumpcap for automated background logging to a file.

    I’m sure there’s even a way to drop the FIFO and just use it as a one-liner with pipes, but this way seems cleaner to me.

    I’ve used it with Wireshark running on OS X 10.4/10.5, Debian 4.0, and every version of Ubuntu from 6.06 on up, and the capture end on all of the above plus a few embedded Linux boxes (including DD-WRT and OpenWRT equipped SOHO routers) and pfSense.

  6. Wais Says:

    Could anyone tell me if I could use Wireshark on my Pfsense?



  7. Chris Buechler Says:

    Wais: not installed locally, there isn’t X, but you can redirect it over SSH on a host that is running X. There are instructions on that in the book (, though it’s not specific to pfsense or any other product, Google can probably find info as well

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply