Take PCAP and Transfer to your computer for further Review

Follow

Cole

• May 18, 2023 16:01

Our team needed a how-to document built for how to take a pcap on a remote firewalla and then transfer it back to a computer onsite for further review.

It is a published Google Doc. Hopefully it helps someone else.

https://docs.google.com/document/d/e/2PACX-1vTUR_NiMTZJJGrbFFV_SOvUmjPYHlnDkdpSkBrjjHSD0AViM1eXTNBpKYoCKojh5xXrQOjdBliRSr7T/pub

 

cole@cybertek.systems

0

• 

  David Rothenberger

  • May 18, 2023 16:59
  • Edited

  Thanks for the useful information.

  I frequently do packet captures from my Firewalla. I just stream it directly to Wireshark running on my Windows PC. I use a command-line like this:

  ssh -n pi@fwg 'tcpdump -i any -s0 -U -w -' | wireshark -k -i -

  You can add additional filters to the tcpdump command-line, or limit the interface.

  Edit: Be sure you check for any running tcpdump processes on the Firewalla after you close Wireshark. It lingers sometimes and has to be killed manually.

  0

  Comment actions Permalink
• 

  Cole

  • May 18, 2023 16:46

  WOW! Fantastic. Thank you!
  
  Will be trying this shortly!

   

  0

  Comment actions Permalink
• 

  David Rothenberger

  • May 18, 2023 17:00

  Be sure to check the Firewalla after you close Wireshark to be sure your tcpdump process terminated. Sometimes, it lingers. Be careful, though, since Firewalla runs many tcpdump processes itself; be sure you kill the one you started and not one Firewalla started.

  0

  Comment actions Permalink

Please sign in to leave a comment.