FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...
FireBrick FB6000
PCAP data logging
The FB6000 includes the ability to capture packet dumps for diagnostic purposes. This interface is provided via the web pages and provides a download of a pcap format file (old format) suitable for use with tcpdump or wireshark.
The output is streams so that it can be used with curl and tcpdump to monitor traffic in real time.
Limited filtering is included in the dump, so additional filtering will normally be applied by tcpdump.
Web interface
The URL is /pcap which has several form style argments:-
| interface | One or more interfaces, of the form port/vlan, can be specified. e.g. interface=0/0 |
| session | Where L2TP is available, one or more sessions, using the full hex accounting ID, can be specified, e.g. session=002132D94AE297DFF51E01 |
| fb105 | Where FB105 tunnels are available, this is the local tunnel ID (1-255) |
| snaplen | The maximum capture length for a packet can be specified, in seconds. Default 0 (auto). See notes below. |
| timeout | The maximum capture time can be specified in seconds. Default 10. |
| ip | Up to two IPs can be specified |
Capture stops if the output stream (web page) fails, so a long time can be specified to achieve ongoing capture which is stopped manually.
Only one capture can operate at a time. The web access fails if no valid interfaces or sessions, etc, specified or if already capturing.
IP match
The capture considers packets on the interfaces specified and sessions, etc, specified and checks if the packet matches the IPs. If no IPs, then all packets are returned. If one IP then all with that IP are returned. If two then only those with both IPs are returned.
The IPs considered are those in ARP, IPv4 or IPv6 headers only and not in encapsulated packets or ICMP payloads.
If capturing too much, some packets may be lost.
Packet types
Capture can collect different types of packets depending on where the capture is performed. All of these are presented as Ethernet frames.
| Ethernet | Interface based capture contains the full Ethernet frame with any VLAN tag removed. |
| IP | IP only, currently not possible to capture at this level. An Ethernet header is faked. |
| PPP | PPP from the protocol word (HDLC header is ignored if present). An Ethernet header is faked and also a PPPoE header. The PPPoE header has the session PPPoE ID that is the local end L2TP session ID. |
The faked protocol header has target MAC of 00:00:00:00:00:00 and source MAC of 00:00:00:00:00:01 for received packets, and these reversed for sent packets.
Snaplen
The snaplen is the maximum length captured, but this applies at the protocol level. As such PPP packets will have up to the snaplen from the PPP protocol bytes and then have fake PPPoE and Ethernet headers added.
A snaplen of 0 is special. It causes logging of IP, TCP, UDP and ICMP headers as well as headers in ICMP error payloads and no more. This is primarily to avoid logging data carried by these protocols.