The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This interface is provided via the web pages and provides a download of a pcap format file (old format) suitable for use with tcpdump or wireshark.
The output is streamed so that it can be used with curl and tcpdump to monitor traffic in real time.
Limited filtering is included in the dump, so additional filtering will normally be applied by tcpdump.
The URL is /pcap which has several form style arguments:-
interface | One or more interfaces, as the name of the interface. e.g. interface=WAN, also applies for name of PPPoE on an interface. |
l2tp | Where L2TP is available, one or more sessions, using the full hex accounting ID, can be specified, e.g. l2tp=002132D94AE297DFF51E01 or you can use l2tp=* followed by a calling line ID - this sets up logging for a session based on calling line id when it next connects. |
fb105 | Where FB105 tunnels are available, this is the local tunnel ID (1-255). |
dongle | Where USB Dongles are available, this is the name of the dongle from the congfig or the socket (e.g. "direct") of the dongle. |
snaplen | The maximum capture length for a packet can be specified, in bytes. Default 0 (auto). See notes below. |
timeout | The maximum capture time can be specified in seconds. Default 10. |
ip | Up to two IPs can be specified. |
self | By default any traffic to or from the IP which is connecting to the web interface to access pcap is excluded. This option allows such traffic. Use with care else you dump your own dump traffic. |
Important: The security checks are the main reason people do not manage to get this working, and the response may be a simple 404 error.
A simple example from a linux box:
curl --silent --no-buffer --user name:pass \
'http://1.2.3.4/pcap?interface=LAN&timeout=300&snaplen=1500' | \
/usr/sbin/tcpdump -r - -n -v
In this example we have used username user and password pass to log-in to a FireBrick on address 1.2.3.4. We have asked for a dump of the interface that has name="LAN" with a 5 minute timeout and capturing 1500 byte packets. We have then fed the output in real time (hence --no-buffer on curl) to tcpdump asking it to take from stdin (-r -) with no DNS resolution (-n) and verbose output. All the normal tcp dump controls apply.
The capture considers packets on the interfaces specified and sessions, etc, specified and checks if the packet matches the IPs. If no IPs, then all packets are returned. If one IP then all with that IP are returned. If two then only those with both IPs are returned.
The IPs considered are those in ARP, IPv4 or IPv6 headers only and not in encapsulated packets or ICMP payloads.
If capturing too much, some packets may be lost.
Capture can collect different types of packets depending on where the capture is performed. All of these are presented as Ethernet frames.
EthernetInterface based capture contains the full Ethernet frame with any VLAN tag removed.IPIP only, currently not possible to capture at this level. An Ethernet header is faked.PPPPPP from the protocol word (HDLC header is ignored if present). An Ethernet header is faked and also a PPPoE header. The PPPoE header has the session PPPoE ID that is the local end L2TP session ID.
The faked protocol header has target MAC of 00:00:00:00:00:00 and source MAC of 00:00:00:00:00:01 for received packets, and these reversed for sent packets.
The snaplen is the maximum length captured, but this applies at the protocol level. As such PPP packets will have up to the snaplen from the PPP protocol bytes and then have fake PPPoE and Ethernet headers added.
A snaplen of 0 is special. It causes logging of IP, TCP, UDP and ICMP headers as well as headers in ICMP error payloads and no more. This is primarily to avoid logging data carried by these protocols.