Remotely Capturing Network Traffic on PFC using Wireshark

Hardware and Linux
, , , , ,
1

By utilizing the tcpdump library included in Wago PFC controllers (as well as Edge Controllers and Edge Computers), it is possible to capture network traffic in & out of the Wago controllers in Wireshark without the need for mirroring traffic back to the PC running Wireshark (by using a managed switch or other networking device). Using this method also has the added benefit of being able to capture EtherCAT and Profinet traffic on the PFC.

To setup the remote capture in Wireshark, follow these steps. Note: These instructions will refer to the remote device as a PFC but these instructions will also work when using Edge Controllers & Edge Computers

  1. Open Wireshark on host machine. Ensure host machine is able to communicate with the PFC (via ping, Wago Ethernet Settings, or any other method)

  2. In Wireshark, navigate to Capture → Options menu

  3. In the Capture Options menu, click on the Gear Icon next to the “SSH remote capture” listed under the “Input” menu

    image
    image1179×601 32.5 KB

  4. In the SSH remote capture menu that opens, in the “Server” tab, enter the IP address of the PFC and enter ‘22’ for the SSH port

    image
    image746×616 12.9 KB

  5. Click on the “Authentication” tab in the SSH remote capture menu. Enter the username as root and password of the PFC (default password is ‘wago’)

    image
    image750×616 17.8 KB

  6. Click on the “Capture” tab in the SSH remote capture menu. Enter the Remote Interface you would like to capture packets on (typically br0, or br1. For Edge Computers this value would be X1, X2… etc).

    • Note: for PFC devices, keep “tcpdump” selected. For Edge Computers, select “dumpcap”

      image
      image746×619 25.7 KB

  7. Click “Start” and Wireshark will start capturing packet information on the PFC port selected

5 Likes
2

Have you been able to make it work on arm32 devices ?
On my side only arm64 supports this (WP400 and PFC300).

On 4-ports Ethernet devices I get :

tcpdump: Marvell EDSA link-layer type filtering not implemented

And some other I get :

tcpdump: unsupported DSA tag: ksz9893

On an Edge controller the capture works but the packets displayed are not valid :

image
image1638×647 19.7 KB

3

This method worked for me on a TP600 (762-5303/8000-0002), a 750-8111, 750-8212, 750-8210 as well as the PFC300 and Edge Computer (with the Edge Computer requiring dumpcap instead of tcpdump). I did not encounter either of those error messages and the data I receive matches what I expect to see with no garbage data.

I tested only using static IP addresses. I did a quick test with split NICs vs. switched NICs and both seemed to work.

For both errors listed, it could be due to the filter applied during packet capture. Try deleting this field in the SSH settings and see if that resolves the issue

image
image748×618 23.7 KB

1 Like
4

This is great, also timely! Thank you for sharing! :100:

5

@Wago_Hunter thanks for the info.

I was missing the remote interface parameter.

It’s awesome to have it working on all our Linux device !

6

I would add that Sshdump has to be selected during the install

image
image499×388 13.2 KB

1 Like
7

@quenorha Thanks for highlighting the installation requirements! Very critical step to get this working that I forgot to include.

And agreed! It was a fun discovery. There are other ways to run the Wireshark capture via the CLI (and you can do some pretty cool things like automatic filtering with Lua scripting but wanted to keep this post to the basic setup).