Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: talowicz on September 13, 2025, 09:01:28 AM

Title: Scripting to easily view packet captures on different interfaces
Post by: talowicz on September 13, 2025, 09:01:28 AM
  Hello all!
 
I have been using the packet capture feature in OPNsense for a bit now, but I am tired of having to click through menus and such and was wondering if someone has made a script which automates the downloading of a pcap file from the firewall appliance to the local machine for use in wireshark and so on. I have my router on its own MGMT VLAN and would ideally like to be able to plug in an ethernet cable, run a command and within a few seconds start seeing traffic in wireshark from a VLAN specified. If this hasnt already been developed I would like some pointers as to scripting in OPNsense! Maybe what I am looking for is in something like zenarmor but I have never gotten around to trying it.
 
 All the best :)
Title: Re: Scripting to easily view packet captures on different interfaces
Post by: keeka on September 13, 2025, 08:30:31 PM
If you're using wireshark on a linux desktop (not sure about the windows version) you can use the 'ssh remote capture' option to bring it straight in to wireshark near realtime.

Just to add, best way I find to configure the capture in wireshark:
Server: appropriate opnsense interface address.
authentication: username and private key.
capture: select 'other' and put a full tcpdump command. e.g. tcpdump -i pppoe0 -w - 'udp port 53 or tcp port 80'
(Use actual device interface names rather than aliases lan, wan etc.)
check 'save parameters on capture start'.
HTH
Title: Re: Scripting to easily view packet captures on different interfaces
Post by: talowicz on September 14, 2025, 09:36:39 AM
Quote from: keeka on September 13, 2025, 08:30:31 PMIf you're using wireshark on a linux desktop (not sure about the windows version) you can use the 'ssh remote capture' option to bring it straight in to wireshark near realtime.

Just to add, best way I find to configure the capture in wireshark:
Server: appropriate opnsense interface address.
authentication: username and private key.
capture: select 'other' and put a full tcpdump command. e.g. tcpdump -i pppoe0 -w - 'udp port 53 or tcp port 80'
(Use actual device interface names rather than aliases lan, wan etc.)
check 'save parameters on capture start'.
HTH

Exactly what I needed! Thanks a bunch :)
Title: Re: Scripting to easily view packet captures on different interfaces
Post by: keeka on September 14, 2025, 02:03:06 PM
Quote from: talowicz on September 14, 2025, 09:36:39 AMExactly what I needed! Thanks a bunch :)

Glad to hear. IIRC you can add -s0 switch to tcpdump to ensure full packet payload capture.
You may also want to check -U switch too (man tcpdump on remote host OS).
Text only | Text with Images