Remote packet capture via netcat and Wireshark

I have a Balance 20x running 8.4.1 and would like to do a remote packet capture for Wireshark analysis. My computer is running Mac OS Sonoma. I created /tmp/pcap-file, then ran ‘nc -kl 23456 > /tmp/pcap-file’. Then I told Wireshark to watch that file by running ‘Wireshark -k -i /tmp/pcap-file’. I went into IC2, opened two remote admin windows, and changed the URL on one to get to the support page. In the Network Capture section of the support page, I set Connection to All, checked the Remote Capture box, gave it the IP of my computer, set port to 23456, and clicked Start. I went to the remote admin (non-support) page, started a ping to 8.8.8.8, and got responses. Wireshark shows no packets captured. pcap-file shows size 0. In the remote admin page, I changed the ping so that it is pinging my computer, and get responses. Still nothing in pcap-file

Thoughts, regarding what has gone wrong here? If there is another method to get a remote packet capture from the peplink, I’d be happy to hear about it

I’ve only ever done this on windows and followed this guide:

that uses the command:

C:\nc\nc.exe -l -p 12345 | “C:\Program Files\Wireshark\wireshark.exe” -ki –

Looks like you’re missing the p option to bind the port number?

Thanks for the quick reply, Martin. The -l option forces you to specify a port. I do have access to a Windows machine though, and will try that

Which ports need to be open on my firewall besides the listening port I tell nc to use? I set this up on the Windows machine and it is failing. In my firewall, I can see the firewall policy hit-count increment, but the support page on the peplink says “Unable to reach remote capture IP address.” I allowed ICMP through and did the same destination nat, and I am able to remotely ping the same machine and get responses.

I opened all ports and the peplink doesn’t fail the connection, but wireshark is getting nothing

the problem is with the B20X and 8.4.1… roll back to 8.4.0 and it will work fine…

(the local PCAP also doesn’t work). This bug is B20X specific.

on macos you can use

nc -l 12345 | tcpdump -enlv -r -

On linux It is:

nc -l -p 12345 | tcpdump -enlv -r -

Be advised that even though that says it is a complete tcpdump say on the wan1… that may not be true… I have found a bug in 8.4.X that will allow packets to transit from the LAN (Vlan) to the WAN that does not get picked up by the onboard tcpdump, and to find these rogue packets I had to run tcpdump from a span port on a switch connected to wan1. Then the packets showed up.

So If you are debugging an extremely subtle layer 2 issue, don’t completely rely on the peplink’s data… put in a managed switch and configure a mirror/span port. Regular layer 3 or above should be fine.

3 Likes

Thank you Paul. Wasn’t aware of the b20x/8.4.1 issue.

Wondering if this has been resolved in 8.5? I updated the firmware and I am using windows behind a B20x and I can’t seem to get this to work at all… but could definitely be me doing something wrong.

I didn’t think to look, but yes the bug is still there in 8.5.0 on the B20X.

You can’t do any packet captures. 8.4.0 was the last one that worked,

1 Like

@Paul_Mossip thanks very much for checking on that! I was going nuts trying figure out why I couldn’t get this to work. I really hope they get this fixed

You should open a ticket. Mine was about a different issue that wasn’t being fixed in 8.5, so they may not be tracking it.

1 Like

I was wrong, I do have a ticket for this. 24050365… no action since May 2024.
I logged that it is still occouring in 8.5.0.

I also opened a ticket 24091232 and here is the response I received this morning:

The Balance 20X does not support packet capture on firmware 8.5.0 at this time. This is due to the size of the firmware file. Peplink Engineers are working on this to re-introduce in a future firmware. At this point we’ve seen users downgrade to 8.3.0 to run packet capture if necessary.