 Tommy here from Lauren systems. And whenever you're troubleshooting PF sense, you'll frequently see people in forums or even myself reply with, well, do you have a packet capture? This is related to when you're trying to get devices to figure out where they're going, why they're not talking to something and just trying to see the traffic that goes in between them. And there's a couple of different ways you can do packet capture inside of PF sense. You can go to the diagnostics and download a pcap file. Pretty easy to do, but let's go a little bit more advanced than that. I've actually gone really far advanced. I have another video where I talk about doing it off from the command line Linux, but maybe that's too advanced for some people and they don't want to deal with setting the command line parameters. There's actually a really easy way to do this that you can do directly right in Wireshark and it works fine in windows as well because the command line option, maybe there's a way to get it working windows. I don't know, but this will work in both windows and Linux. I'm still going to be doing it in Linux because that's what I have set up, but I did test this any windows virtual machine work perfectly fine. Just make sure when you load Wireshark that you check the extra boxes for the SSH dump to make sure that's loaded. Now, before we get into details this video, let's first, are you an individual or company looking for support on a network engineering storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structured cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in hiring us but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel and now back to our content. The first place I want to start because it's worth mentioning is there's a lot of different methodologies here and they are all documented right in the Netgate PF Sense documentation. So if you just wanted to look at some of the different methodologies, I'll leave a link to this because I always encourage people to look at all the different options and always to RTFM. Now let's talk about the prerequisites for PF Sense. We're going to go over here to System Advanced and we're going to scroll down here to the SSH. And I have this set up for public key only and I have my keys installed but you could use this interactively with password or public key or you can go really secure and require both public key and password but public key only is fine by default PF Sense only opens this up internally. So the expectation is that you have internal access to this particular PF Sense that you're going to be testing on either via VPN because this can be done remotely or you've opened it up on the WAN side which if you filter it to only a certain IP and temporarily that's acceptable. Ideally though, if you VPN and you're doing it the most secure way is you don't want too many things exposed but then you have to notice the port we have and I have chose 102.2 versus the default port of 22. This is up to you. You can leave it at the default. Maybe you don't plan on using any other services on there but I generally changed the PF Sense to a non-default port. It can quiet down the log noise internally but you shouldn't have any log noise on your SSH because you've blocked it from non-management interfaces but I have got other videos about securing PF Sense in there. Most important part though is that you have access to it. Now, when we use Wireshark, I'm leaving on public heal only because I do have the proper keys installed for my system to log in without a password. It just makes using Wireshark easier but Wireshark does support putting a password in if you needed to do so. The next thing we need to do is identify the interface we want to capture inside of PF Sense. So I have my WAN, LAN and they're not identified inside of Wireshark is that we have to know their driver name which is IGB0, IGB1 and then when we come to the VLANs like VLAN 60, VLAN 1337, they're done slightly differently. So if I click on VLAN 1337, the parent interface is IGB2 and then we put a dot 1337. So if we wanted to track just this interface and do the capture on it, it's IGB2 dot 1337 to narrow it in scope to just that interface. Now this also does work for your TUN underscore WG1. This is my WireGuard tunnel. So yes, you can capture provided that the VPN interfaces have been set up as an interface, they can be fully packet capture so you can watch the data that traverses them. So that's also just a good use case if you're trying to troubleshoot what is or isn't going across the VPNs. The next step is to open up Wireshark and one thing I want to comment on if you install Wireshark in Linux in Windows this wasn't a problem other than checking the box but in Linux you do not want to install the flat pack version or at least I had problems installing the flat pack version. I did a whole regular package install of this. For some reason this didn't work with the flat pack version and I didn't really spend a lot of time troubleshooting it but hopefully that saves you some time trying to figure out why it kept failing. We're going to click on this SSH remote capture SSH dump. Right here is the IP address of my PF sense. 102 is the port as we showed earlier. We have to log in as root because root is who has the permissions in order to do this. So even if you have disabled the admin you will need to re-enable it and make sure in this case I'm using a key authentication and that the keys are installed. If not you can just have root and the password provided your SSH allows for password authentication. Then we're going over here to capture and we're going to start with ton WG1 just to show you that yes we can see what's going across my wire guard tunnel and what data is over there. The remote capture filter by default is got a knot in there. We'll come back to this in a moment but the knot is the not the IP address of my system so not host 172 1669. It also has an IPv6 entry for it as well and not port 22. So they are putting this together so you don't capture yourself. This would create kind of a problem of you're capturing and sending data but then it also has to log the fact that the data went back to you so you're creating some extra noise in there. That's why it does this. Not an issue in specifically the case of this particular tunnel because none of this traffic will touch that but if you're going in on the same interface that you're monitoring, you'll kind of get a feedback loop, extra data that will be in there. So we're just gonna hit start and there's just a few things going across because I've only connected to one thing across my wire guard tunnel but there's my IP address. It does log my IP address talking to this because it's not going over port 22 but we can see the different things across this network that my system's talking to and yes the VPN to the office is working. Let's do another test. We're gonna head and stop this here, close it and show you how to do it with a VLAN. So back over to PF sense and we see the VLAN 1337. So if we take and click on it, we see this right here which is IGB 2.1337. Go back over here in the wire shark, same premise, go over to capture put in IGB 2.1337 and go ahead and hit start and I was capturing on that network. So let's go ahead and log into a device I have on that network. So SSH Tom at 192.168.13.102 is a device on that network. And it's a Raspberry Pi that I've got plugged in and now we can see the transfer going back and forth and let's filter it further. So let's go ahead and ping 1.1.1.1 and you can see the ICMP request going across and being captured. Now I'm gonna leave this pinging in the background. Let's go ahead and stock wire shark, close it out saving, go in here and filter this a little bit better. If you have a specific target or especially if you're doing this remotely, you may want to filter to a single host. You wanna know where one host is going. One device, not all the devices on the network, especially when you're doing this remotely, bandwidth can be a consideration for troubleshooting. And often you are troubleshooting a host on a network trying to see what it's talking to. And we're actually gonna do a public host because you wanna know what's talking to this public host on this particular VLAN. So if we filter to remote capture filter host and put that one host in there, go ahead and start. And we can see that it's pinging. So we'll stop it and it stops capture but all my other commands, matter of fact, if we type or do anything, it's not capturing it because it's not related to that host but if we ping again and we're pinging that address, you can see it captures. So you filter to narrow it down. It's relatively simple to do when you're setting these up to filter for these hosts and there's other operators you can use in there such as you see before putting not. So let's actually do one more test. Close.saving, we're gonna go back in here and we're gonna add the word not in front of that host. So not host 111. So start, go back over to our terminal and just by doing any commands, we're capturing this but when we do a ping command, the ping replies are omitted but the traffic back and forth between me talking to the Raspberry Pi on my computer is being shown. So we can see the SSH commands but there's really no other activity on this network. Now, as I said in the beginning, I'll leave a link to my other video I did and of course take the time to read through the documentation on PF Sense because this is where you get started with packet capture. Where you go from here, well, it can be a lot more fun in diving into all the little intricacies of it and tracing things out on your network. Also, I have a video where I showed how to take a phone call, tap it using the same methodology, grab the phone call, reassemble it in Wireshark and play it back because most of your phone calls are not encrypted as they traverse through most of your VoIP applications. Well, most of the ones used right now here today, you can be watching this in a future date where we finally encrypted everything and we're not transporting a lot of stuff that was easily reassembled but let me know one of the things you wanna learn about Wireshark. I wanna do a little more talking about this product. That's why I did this video. I wanna make it as easy as possible for people to get started in there. I know sometimes starting from the command line might be a little bit more advanced way to do it. So this is just showing a really simple way to do it with SSH. By the way, I did this demo with PF Sense but this can be done with more than just PF Sense. You can actually log into quite a few other devices. As long as they have SSH and TCP dump, you can log into quite a few things that are not just Linux based but such as Unify equipment, which I talk a lot about on this channel. If you have SSH enabled, yes, this will work for that as well. Logging into it when you set up a username and password that does have permission via SSH to talk to the different interfaces on there. So this is one of those, this is where you start. Hopefully you take it a lot further but it's all about getting started and having some fun with it. All right, thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to lornsystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts, and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally our forums, forums.lornsystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.