 Tom here from Lawrence Systems. We're going to talk about using Wireshark with PF Sense. I've done this a couple times in other videos, but I figured I'd make a dedicated video to it because there's a few different ways to take care of it. Now, if you're interested in learning more about me and my company, head over to LawrenceSystems.com. You can also click Hire Us to hire us for our project. We will be talking a lot about route and I do have these shirts available because people always ask where to get the shirts that we wear or my staff wears. They're on Teespring. Links are in the description below along with my website. All right. PF Sense and Wireshark. This is a lot of fun and what you can do is obviously the simple thing that I've done in many of them. I've never gone much more beyond this because generally this works. Where you go over here and we're going to go to packet capture. We pick the interface you want to capture on. You can select the address, family, host address, port, packet length, level of detail. We start the capture. It does some stuff. We get the data we need. We hit stop. Hey, cool. Download the capture file and open it with Wireshark. Great. Pretty simple. But what if you wanted real-time monitoring, real-time packet capture? That's actually completely plausible because this is based on TCP dump. You can run this over SSH. You can SSH in, pull TCP dump out and get real-time packet capture. And the write up is over here on PF Sense. Now, they have a breakdown, a little bit more detail on a few different ways to do it. And I'm going to cover specifically this way right here. How to get Wireshark talking to directly to PF Sense via TCP dump and a couple little things about it, including some details of filtering. And what they do right here, for example, they say not port TCP 22 to filter that out because when you connect to it, you're also creating your own traffic. And then that traffic would wash the traffic. It's kind of like, you know, data you may not want and you don't want to have to. You could filter it out inside of Wireshark, but we'll break that down in detail here. Now, important things about this capture. And one of them too is the fact that if you're doing this on PF Sense, if you want to do large packet capture, you got to make sure you got a place to put it all. So if you are doing it on PF Sense, I guess it's perfectly plausible, but you may run out of space. So something just to keep in mind. Let's show my lab setup. Now, here's my workstation. Here's our PF Sense, the IP address that is irrelevant. Here's the internet. Here is how my lab is set up. And I just want to make sure I point out the IP addresses. And also, I'll be linking all this in my forums along with all the commands used. And it'll be a link in the description below for that. That way, I don't have to try and type them out or try to pull them out of a YouTube place. There'll just be a forum post that goes along with this. PF Sense lab, WAN IP address 172.166912. This is just my lab network. And Latin rech I'm not going to be using this land because I've everything set up. On the 10.1.10.1 network. So that's this, we have one box running WN, it's a virtual machine, but it's sitting behind this at 10.1.10.10.10.10.104. Then my workstation is 192.1683.9. And I just want to get this out in the beginning because this will cover some of those details later. This is why works it says up here on the corner for you want to know how I drew this particular graph. It's just easy to drag things on here and it works well. It's free. All right, now we have to make sure we know which the interface names are. That's an important factor and it's because you have to name it based on the interfaces. So we're going to go here to interface assignments. If you want to pull things and see all the packet capture from the WAN, you can. That's going to be XN0, LAN is XN1, and LAN2, the one we're going to be working with is XN2. So this is the interface we're going to use for this. I've got to go here to advanced, make sure, enable secure shell is enabled for setup, password and public key are enabled, but I really recommend public he only and also in production. Don't expose SSH. You probably will be doing this from inside your firewall, but because my computer's on one side of the network and the lab is on another, we do have a firewall rule that allows this to be done. I don't generally expose SSH to the greater public. And if I ever do, it's going to be key only, but we'll have password or public key as an option so we can log in SSH port 222 and bring that up because let's make sure you see that we have a rule. So on the WAN, because I'm outside of this network, we have TCP port 222, allow remote access to SSH. Now I could leave it at default port. I don't, but we chose 222 because we also have a rule that you'll see right here. So IPv4 TCP and actually this is a NAT rule. So here's our Debbie in box 10.1.10.104 allow SSH and just so we can edit real quick, we're allowing at the WAN address SSH port, the standard port so I can get through the firewall behind it to where that Debbie machine is. And the reason why is because I want to create some noise and do some network tracing and I want to be able to do it because there's only thing on this network right now for this particular lab is this one Debbie in box. the amount of noise we create in Wireshark is going to be very, very small. The way we can start tracking and doing the packet capture without a lot of noise, it makes it for clarity. Obviously, in a production system, there's going to be a whole lot more data. So let's get to the script part. So we're going to go ahead and edit the script. Like I said, this will be posted in the forums. PF Wireshark real-time capture. I'll leave these couple notes, and these will be in the forum too. Make sure Wireshark allows user to run dump cap, dump pcap, and that is pretty simple. You sudo dpackage, reconfigure Wireshark, and we'll run these real quick just so you see to make sure yours is set up properly. And we'll just do this right here. You just want to make sure should non-super users be allowed to run packet capture, you say yes. And then the other thing to make sure, and this is working on Ubuntu or PopOS specifically, which one I'm using, Shimad plus X user bin dump pcap, you just want to make sure that the user has access to this. So that's all you need to do. Because if you don't do that, like you just install Wireshark, and you don't do those couple things, it won't allow the user to run, which you can run it as root. And I'll leave this here. It's not how I'm going to do it. But for someone who wanted to run this as root, that would work. Also, this particular testing I was doing right here, where it says MVNNETA0 is because I first tested this on a NetGate SG100 just to see if it would work. It will work with, I'm sorry, 1100. And in those, you specify the main interface that before it gets vland out. So just in case you're wondering what that is, there, I'll leave these notes in here. We're going to be doing with a virtual install of PF Sense. And right here is how we're going to start it off. Wireshark-KI. And what we're doing is SSHing in to the system here. So we have SSH root, oops, got it, unselected, sorry. So we have SSH root at 172.16.69.11.12. And what this is going to do is SSH in there and redirect the SSH and port 222, just like it says right here. And then it's going to run the tcvdump command. And it's going to use the dash u dash w parameter, then dash, so tack or dash, take your opinion, which one you want to use, that redirects all this data back over the Wireshark. So let's go ahead and just quit this real quick. And we'll SSH root at there dash p222. Remember to support 222. The reason I'm doing this is one, make sure I can log into it. And I can't. The problem is, I have to type a password. So if I were to run this and I have to type password, it's not going to work, because it needs to log in automatically. Now, I'm not going to get real in depth to this, but assume, I'm assuming you have SSH keys set up. And if you do, it's really easy. So you SSH copy ID, and there's lots of tutorials on how to set up SSH keys. And like I said, goes out of scope of this, but you just copy your SSH keys over to that particular PF sensor. And before we do that, let's log in real quick. I'll show you where those are located. So go over here and I'm going to shell c.ssh, nothing in there. So exit. And now we go here, log out. And it says SSH copy ID. This takes some copies, your keys over here. So I'll do that, type the password in keys are copied. Now when we SSH route in, we're in automatically. Now this is what I mentioned before, where it allows password or keyed authentication. When we inside a PF sense, you can now change it back to key only, and it's that much more secure, because now it doesn't accept passwords. So go to eight CD dot ssh. And there's the authorized keys in there. So you can see my key. By the way, this is the public key pair. In case you're wondering time you exposed the message key. No, this is actually available even on my GitHub. All right. Exit out. So we've got that done and got that done. So now we can log in without prompts, because that's important for the next step. So we're going to go ahead and do this. I'll split the screen. I'm using Teambox, by the way, also on my GitHub, Lawrence Systems GitHub, you'll Google it, you'll find it. You can get all the way my bash and Teambox and everything's configured. I have videos on that on my channel. All right. So now we're going to go through and I just going to open this up VIM PF sense wire shark. And what do we got here? This is the one we're going to use. I have a couple commented out the other ones in here. So wire shark SK SSH 222, TCP dump, XNN, et cetera, et cetera. It's going to run down here. So we're going to go here PF sense LTS bash grips. You have sense wire shark. And the reason I do it like this, I usually split windows. That way I can just keep editing things and just run it down here, cancel and run. You'll see how this works real quick. All right. Packet capture is up and running. Let's SSH root at 172, 16, 69, 12. This is going from my computer through the PF sense and to our 10.1.10.10.104 behind it. And we have plenty of packet capture going on here. And we have a lot of me in here. So here's my IP address, 192, 163.9. And I bring that up because well, here's when we ping something like Google.com. So we see the request. We see more noise from Google and the ICMP request, but you also have me in there for every time it's sending information. Even when it's sending things back to my session I have open, that gets caught up in there. Now there's a lot of advanced filtering you can do. So we're going to say Tom's computer, for example, and this is IP address equals 192, 163.9. And that would allow me to filter only my computer or we can do the inverse of that, not Tom's computer will exclamation point. And now we see anything that wasn't going to my computer. Now this is fine when you're running a local network and have, well, a massive amount of bandwidth. But what if you don't, you're doing this remotely, you may want to pre-filter before you send it to Weyershark. So let's talk about how to do that. And there's a ton of filtering, like I said, you can do inside of Weyershark. And it's great to do it here, but pre-filtering it saves you a little bit of time and saves you a few packets. And of course, if you're in a bandwidth restricted situation, saves you a lot more. So TCP dump for free BSD, PF sense being based on free BSD. This is the page for TCP dump and free BSD, lots of things you can do. We'll go down here towards the bottom. I'm not going to cover all of them, but you know, easy enough to read these up, you can look at the gateway, you can look at specific IP host ace, not IP host Helios. And it'll do both full names, it'll do IP addresses, etc. So there's a lot of different parameters. We're going to specifically do it just by IP address though. So we go here and we remove that and insert here. And what do we have here? Same command. The only thing we added was after we have the interface host not, and we're putting my IP address in. So we only excluded my IP address, nothing else in the demo example that PF sense has in their documentation. It does show how to exclude like the SSH port you came in on, which was 22 in their example. I'm doing it by complete host, but like I said, this is something very flexible. And sometimes you may want to go specifically and focus on only one host because if you're on a busy network, you're still going to get a lot of data. So maybe you want to filter this not to exclude your host, but to only include the host that you're really targeting to get some information on and just remove the not, you can say host this or host not this. And these can actually be expanded upon. So you can actually grab more than one host, for example, in this particular capture, etc. But like I said, just getting the basics down so you get some ideas of how this works. So now we're going to go the PF sense real time, capture, do wire shirk. I'm going to exit. I'm going to go back in. And by doing this, I'm not in here at all. So we still see some broadcast, which is unrelated to me going on. So it's capturing packets still. And if I ping something, there's all the traffic for ping, but no traffic for me. So if we try to filter for my computer, you'll just see it's not in here. So we say, let's find Tom's computer, nothing, because we pre-filtered before we sent this. And this is going to be very handy to help narrow things down because you may be bandwidth restricted. And you want to be able to to find what you're looking for. And you may even want to narrow it down more because you only want to find one host. And if you're doing this, like if I were to do this on my main network, because we have so many different things going, it would just be a ton of data. And data is good, but without filtering data, it can be a little bit just noisy at that point and be harder to locate exactly what you're looking for or looking for anomalies. But like I said, it's pretty easy to do because it's just standard TCP dump. You look at the FreeBSD, come up with a formula based on the FreeBSD page for TCP dump and come up with what works for you in terms of pre-filtering. But if you're on a local network or in a lab like I am here, send it all, filter it later inside of Wireshark, because it's a fun learning experience. Just to be a amazed example would be like when you boot up Windows Server, look at how many connections it does when it boots up or, you know, a lot of other servers. Be a good learning experience and go, you know, what are these things doing? Do this with some IoT devices or whatever. And the nice thing is, when you run this, you're not saving the packets over on PF cents. You're saving them all on Wireshark exactly because they're just being pushed off through TCP over SSH back to your computer locally. Now, the last thing I'm going to mention, I kind of touched on this a little bit, where you see up here, in which this one's running as root, ignore that unless you have a reason you want to run it as root. But these interfaces are the combined interfaces on the SG1100 where they get VLANed out. You do specify them as a name. And the way you find your interfaces again is you're going to go over here to the interfaces assignments. This is LAN2, so it's XN2, but you can pull different parameters and different ones. And this is going to be varied based on however your system works. If you were IX for some of the Intel network cards, XN for the virtual ones that are in this particular virtual machine that are running, but that's going to vary with the type of network cards you have and to specify the one and a way you go and customize as needed. Once again, I'll be leaving a link to all this in my forums where you can dig into this more and that way I can easily put these out, paste all these commands that I used inside the forum so you can copy and paste and customize yourself without having to try and stare at the screen and retype it all. But it's a fun learning and it'll get you started with dumping a lot of information into Wireshark and hopefully do some learning and maybe you'll find the next little vulnerability in one of these things. That's actually how a lot of this starts. All right, thanks. And thank you for making it to the end of the video. If you like this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos, or other tech topics in general, even suggestions for new videos. They're accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.