Remote Firewall logging/viewing with Wireshark

[Vladimir Sanguinati]

I want to be able to monitor blocked packets from anywhere with windows and Wireshark.

BSD box command:
tcpdump -e -tttt -q -i pflog0

example output:

rule 3..16777216/0(match): block in on xl0: 192.168.0.xxxx.35752 > vl-in-f95.1e100.net.https: tcp 0
(match): block in on fxp0: min-extra-scan-13-de-prod.binaryedge.ninja.42860 > 162.212.90.176.ldap: tcp 0

problem is when I run this command Wireshark shows nothing:

windows box:
"c:\plink.exe" -ssh -pw xxxxxx xxxxx@192.168.0.xxx "tcpdump -e -tttt -q -i pflog0" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -


I'm assuming it is because Wireshark doesn't know where to find pflog0 at?

 

[Vladimir Sanguinati]

answering my own question in case it helps somebody else:

"c:/plink.exe" -ssh -pw xxxxx xxxx@192.168.0.xxxxx tcpdump -i pflog0 -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\wireshark.exe" -k -i -


needed these switches for tcpdump(1):

-U     Make output saved via the [B]-w[/B] option  ‘‘packet-buffered’’;  i.e.,
              as  each packet is saved, it will be written to the output file,
              rather than being written only when the output buffer fills.

-w     Write  the  raw packets to [I]file[/I] rather than parsing and printing
             them out.