Expanding on my homelab project and working towards OSCP certification, I have been looking at building another network at home for pen testing. Part of that I recently purchased and added a managed L2 switch. Part of the feature set is port mirroring, but I also wanted to see if i capture the packets on an interface on pfSense and send them over to wireshark or security onion for inspection.
Ive set up a Kali VM on say VLAN 100 and log into the machine. Run netcat with the below command so it listens on port 22222 and then forward anything it gets to wireshark
nc -l -p 22222 | wireshark -k -i -
Then on pfSense to send it across to Kali wireshark, I enable ssh on pfSense, log in, press 8 to get to shell prompt then run
tcpdump -i igb1.600 -U -n -w - | nc kali.ip 22222
I wanted to capture it on a vlan interface so i used the igbx.xxx notation.
If you would like to pipe it to a file and then download the pcap file for analysis you can run
nc -l -p 22222 > /home/user/somefile.pcap
In my particular setup, I wanted to put kali on the same network that I wanted to monitor. However, this creates a lot of noise as you are capturing yourself . To get around this, you can pre filter so your host does nto get sent to wireshark.
To achieve this add
host not kali_ip
tcpdump -i igb1.600 host not kali_ip -U -n -w - | nc kali.ip 22222
I also run this within screen so I dont have to worry about my window. Start the capture and close my session. When you close wireshark, the connection to pfSense will close too.