pfSense

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/838

Louis B wrote in #note-7:

Sometimes, I would like to monitor what is happening on multiple vlans = interfaces at the same time. So I would be glad to see an option to start a packet capture on interface-1, and keep that one running when switching to inteface-2 and start another one.

Perhaps I can do that by starting two pfSense gui instances in parallel, however I am not sure that works.

For now, this can be achieved by capturing on the VLAN parent interface (given the VLANs are on the same interface).

Applied in changeset c016fea0222b8ebcb74c07ae5891da4c0fd65dee.

Spent a couple minutes with the new page and hit a few snags:

• It's kind of confusing having none of the filtering options visible by default, probably going to get a lot of questions about that. At least consider moving "Custom Filter" up under "Everything" and consider making the filtering drop-down a radio selector instead so the available options are much more obvious.

• It doesn't seem possible to do an "and". There are two "any of" types ("any of", "any of [OR]") but they both seem to do an 'or' in the filter when running the command (the command being run is identical and uses 'or') so I'm not sure what the difference is between those two options. For example in the old UI I could do 198.51.100.7,224.0.0.18 and it would capture only traffic where those two hosts were involved either as src->dst or dst->src. A brief look at the code seems to indicate "any of" should be "all of [AND]" since a logical and is not "any of", but something isn't working there since it's not actually doing an 'and' operation even when that is selected. The test I ran was with trying to filter two untagged host addresses. See the attached image. This is on the latest snapshot.

• When viewing a capture of CARP, it is not using the CARP format output (-T carp) as it did on the old page so it's misinterpreting it as VRRPv2 in the output. This is very important when diagnosing CARP issues.

Old:

10:34:43.227163 00:00:5e:00:01:4d > 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0xe0, ttl 255, id 0, offset 0, flags [DF], proto VRRP (112), length 56)
    198.51.100.7 > 224.0.0.18: carp 198.51.100.7 > 224.0.0.18: CARPv2-advertise 36: vhid=77 advbase=1 advskew=0 authlen=7 counter=6443679781330698894

New:

14:33:52.724603 00:00:5e:00:01:4d > 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0xe0, ttl 255, id 0, offset 0, flags [DF], proto VRRP (112), length 56)
    198.51.100.7 > 224.0.0.18: vrrp 198.51.100.7 > 224.0.0.18: VRRPv2, Advertisement, vrid 77, prio 0, authtype none, intvl 1s, length 36, addrs(7): 226.182.73.11,204.65.161.56,200.77.0.155,251.188.228.33,75.158.60.199,151.217.255.250,251.182.184.229

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1025

• Moved custom filter option to the first position in the list
• Add the option "all of" and "[OR] all of" for supported Types (host, mac, port)
• Add the "View Type" option to force a specific traffic type, e.g. for CARP

Applied in changeset 854a454c4ba5aaaabab98ddb657f775a1745094d.

Applied in changeset 0d9f5d520a886769bcbd8929db98e53a6623f569.

Alhusein Zawi wrote in #note-30:

Is there way to keep/add the classic view of the packet capture ?
in many cases I need to start a quick pcap by selecting 1 protocol (like icmp) without adding any filter.

The latest changes simplify the page and keeps the Custom Filter Options panel shown by default.

Applied in changeset d49f09459f3c317d4e32d2c5a42131f48b1ca68d.

There seems to be an issue with the logic on the page now. If you only want to filter based on the top section of custom filter options and leave the bottom section as-is, it always places or ((not vlan)) in the command line which makes the first part of the filter ineffective since it will match anything without a VLAN tag.

For example if you pick CARP from the protocol drop-down and click start, it uses:

/usr/sbin/tcpdump -ni vtnet1 -c 1000 -U -w - '((proto 112)) or ((not vlan))'

Thus it's matching any packet on that interface without a VLAN tag, which in this case is everything.

Similarly if you switch that tagged filter section option to "include any of" it adds or ((vlan)).

At least in the first case it seems like it should be and ((not vlan)), not or. The second case is less clear.

Thanks! https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1032/diffs addresses that issue. This worked with every combination I could think of, including different tag levels, exclusions, and type presets.

Similarly if you switch that tagged filter section option to "include any of" it adds or ((vlan)).

This one is intended; it's needed to include both untagged and tagged packets at the same time (filtered as needed given the input). Using and vlan would force the match on a packet to be simultaneously tagged/untagged and would fail.

MRs merged, ready to be tested again.

Still seems to be OK at least with the light testing I've done. If any new problems come up they can go into separate Redmine issues.