# Remote Firewall logging/viewing with Wireshark



## Vladimir Sanguinati (Nov 13, 2016)

I want to be able to monitor blocked packets from anywhere with windows and Wireshark.

BSD box command:
`tcpdump -e -tttt -q -i pflog0`

example output:

```
rule 3..16777216/0(match): block in on xl0: 192.168.0.xxxx.35752 > vl-in-f95.1e100.net.https: tcp 0
(match): block in on fxp0: min-extra-scan-13-de-prod.binaryedge.ninja.42860 > 162.212.90.176.ldap: tcp 0
```

problem is when I run this command Wireshark shows nothing:

windows box:
`"c:\plink.exe" -ssh -pw xxxxxx xxxxx@192.168.0.xxx "tcpdump -e -tttt -q -i pflog0" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -`


I'm assuming it is because Wireshark doesn't know where to find pflog0 at?


----------



## Vladimir Sanguinati (Nov 14, 2016)

answering my own question in case it helps somebody else:

`"c:/plink.exe" -ssh -pw xxxxx xxxx@192.168.0.xxxxx tcpdump -i pflog0 -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\wireshark.exe" -k -i -`


needed these switches for tcpdump(1):

```
-U     Make output saved via the [B]-w[/B] option  ‘‘packet-buffered’’;  i.e.,
              as  each packet is saved, it will be written to the output file,
              rather than being written only when the output buffer fills.
```


```
-w     Write  the  raw packets to [I]file[/I] rather than parsing and printing
             them out.
```


----------

