I have a Balance 20x running 8.4.1 and would like to do a remote packet capture for Wireshark analysis. My computer is running Mac OS Sonoma. I created /tmp/pcap-file, then ran ‘nc -kl 23456 > /tmp/pcap-file’. Then I told Wireshark to watch that file by running ‘Wireshark -k -i /tmp/pcap-file’. I went into IC2, opened two remote admin windows, and changed the URL on one to get to the support page. In the Network Capture section of the support page, I set Connection to All, checked the Remote Capture box, gave it the IP of my computer, set port to 23456, and clicked Start. I went to the remote admin (non-support) page, started a ping to 8.8.8.8, and got responses. Wireshark shows no packets captured. pcap-file shows size 0. In the remote admin page, I changed the ping so that it is pinging my computer, and get responses. Still nothing in pcap-file
Thoughts, regarding what has gone wrong here? If there is another method to get a remote packet capture from the peplink, I’d be happy to hear about it
Which ports need to be open on my firewall besides the listening port I tell nc to use? I set this up on the Windows machine and it is failing. In my firewall, I can see the firewall policy hit-count increment, but the support page on the peplink says “Unable to reach remote capture IP address.” I allowed ICMP through and did the same destination nat, and I am able to remotely ping the same machine and get responses.
the problem is with the B20X and 8.4.1… roll back to 8.4.0 and it will work fine…
(the local PCAP also doesn’t work). This bug is B20X specific.
on macos you can use
nc -l 12345 | tcpdump -enlv -r -
On linux It is:
nc -l -p 12345 | tcpdump -enlv -r -
Be advised that even though that says it is a complete tcpdump say on the wan1… that may not be true… I have found a bug in 8.4.X that will allow packets to transit from the LAN (Vlan) to the WAN that does not get picked up by the onboard tcpdump, and to find these rogue packets I had to run tcpdump from a span port on a switch connected to wan1. Then the packets showed up.
So If you are debugging an extremely subtle layer 2 issue, don’t completely rely on the peplink’s data… put in a managed switch and configure a mirror/span port. Regular layer 3 or above should be fine.
Wondering if this has been resolved in 8.5? I updated the firmware and I am using windows behind a B20x and I can’t seem to get this to work at all… but could definitely be me doing something wrong.
@Paul_Mossip thanks very much for checking on that! I was going nuts trying figure out why I couldn’t get this to work. I really hope they get this fixed
I also opened a ticket 24091232 and here is the response I received this morning:
The Balance 20X does not support packet capture on firmware 8.5.0 at this time. This is due to the size of the firmware file. Peplink Engineers are working on this to re-introduce in a future firmware. At this point we’ve seen users downgrade to 8.3.0 to run packet capture if necessary.