PCAP data logging

The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This interface is provided via the web pages and provides a download of a pcap format file (old format) suitable for use with tcpdump or Wireshark.

The output is streamed so that it can be used with curl and tcpdump to monitor traffic in real-time. Limited filtering is included in the dump, so additional filtering will normally be applied by tcpdump.

Web interface

The URL is /pcap which has several form style arguments:-

InterfaceOne or more interfaces, as the name of the interface. e.g. interface=WAN, also applies for the name of PPPoE on an interface.
l2tpWhere L2TP is available, one or more sessions, using the full hex accounting ID, can be specified, e.g. l2tp=002132D94AE297DFF51E01 or you can use l2tp=* followed by a calling line ID – this sets up logging for a session based on calling line id when it next connects.
fb105Where FB105 tunnels are available, this is the local tunnel ID (1-255).
dongleWhere USB Dongles are available, this is the name of the dongle from the config or the socket (e.g. “direct”) of the dongle.
snaplenThe maximum capture length for a packet can be specified, in bytes. Default 0 (auto). See notes below.
timeoutThe maximum capture time can be specified in seconds. Default 10.
ipUp to two IPs can be specified.
selfBy default, any traffic to or from the IP which is connecting to the web interface to access pcap is excluded. This option allows such traffic. Use with care else you dump your own dump traffic.


Important: The security checks are the main reason people do not manage to get this working, and the response may be a simple 404 error.

  • You must be accessing from an IP listed as trusted in the HTTP config in services.
  • You must use a user and password for a user that has level=”DEBUG” in the user config.

Example using curl and tcpdump

A simple example from a linux box:

curl –silent –no-buffer –user name:pass \
‘’ | \
/usr/sbin/tcpdump -r – -n -v

In this example, we have used username user and password pass to log-in to a FireBrick on address We have asked for a dump of the interface that has name=”LAN” with a 5-minute timeout and capturing 1500 byte packets. We have then fed the output in real-time (hence –no-buffer on curl) to tcpdump asking it to take from stdin (-r -) with no DNS resolution (-n) and verbose output. All the normal TCP dump controls apply.

IP match

The capture considers packets on the interfaces specified and sessions, etc, specified and checks if the packet matches the IPs. If no IPs, then all packets are returned. If one IP then all with that IP are returned. If two then only those with both IPs are returned.

The IPs considered are those in ARP, IPv4 or IPv6 headers only and not in encapsulated packets or ICMP payloads.

If capturing too much, some packets may be lost.

Packet types

Capture can collect different types of packets depending on where the capture is performed. All of these are presented as Ethernet frames.

EthernetInterface based capture contains the full Ethernet frame with any VLAN tag removed.IPIP only, currently not possible to capture at this level. An Ethernet header is faked.PPPPPP from the protocol word (HDLC header is ignored if present).
An Ethernet header is faked and also a PPPoE header. The PPPoE header has the session PPPoE ID that is the local end L2TP session ID.

The faked protocol header has target MAC of 00:00:00:00:00:00 and source MAC of 00:00:00:00:00:01 for received packets, and these reversed for sent packets.


The snaplen is the maximum length captured, but this applies at the protocol level. As such PPP packets will have up to the snaplen from the PPP protocol bytes and then have fake PPPoE and Ethernet headers added.

A snaplen of 0 is special. It causes logging of IP, TCP, UDP and ICMP headers as well as headers in ICMP error payloads and no more. This is primarily to avoid logging data carried by these protocols.