Skip to content
Avanet

Using Sophos Firewall Packet Capture in WebAdmin

Packet Capture is one of the most important troubleshooting tools in the WebAdmin of Sophos Firewall. It shows whether packets arrive at an interface, whether they are forwarded, which rule or NAT ID is involved, and whether a packet is dropped.

The Log Viewer shows the firewall’s decision. Packet Capture shows the packet flow. Together, they are often the quickest way to find the cause. If a firewall rule needs to be specifically tested, the process in Testing Sophos Firewall Rules with Log Viewer, Policy Tester, and Packet Capture is also suitable.

It’s important to note: This article describes the WebAdmin version of Packet Capture. It is ideal for an initial check because you can see directly in the browser whether packets arrive, are forwarded, or are dropped. For longer captures, very precise filters, PCAP export, or support cases, a tcpdump via SSH is often better suited.

Tool Selection

Which Article Fits?

Packet Capture is particularly strong when the actual packet flow is unclear. For related questions, a different starting point may be quicker:

SituationBetter Starting Point
A single firewall rule needs to be validated with Log Viewer, Policy Tester, and Packet CaptureTesting Sophos Firewall Rules with Log Viewer, Policy Tester, and Packet Capture
A rule does not match at all or an unexpected Rule ID appearsCheck Causes for Sophos Firewall Rule Not Matching
NAT ID, DNAT, SNAT, MASQ, or address translation is the focusUnderstanding NAT on Sophos Firewall
An internal server is published from the internetPublish Server via DNAT
The capture shows Drop, Violation, Invalid traffic, or an unclear drop reasonAnalyse Dropped Packets on Sophos Firewall
Traffic ends on WebAdmin, VPN Portal, SSH, DNS, SNMP, or another firewall serviceConfigure Device Access Correctly
The capture needs to run longer than PCAP can be stored or analysed in WiresharkSophos Firewall tcpdump: Capture Packets via CLI
Local log files are needed for support in addition to packet captureSecure Sophos Firewall Logs for Support and Analysis

This distinction is important: Packet Capture shows packets and status at the packet level. However, it does not replace the Log Viewer for policy decisions, the NAT article for translation logic, or tcpdump when an analysable PCAP file is needed.

When Packet Capture is Useful

Packet Capture is particularly helpful for questions like:

  • Does the traffic even reach the firewall?
  • Does the traffic exit on the expected interface?
  • Does a firewall rule apply?
  • Does a NAT rule apply?
  • Is a packet dropped by policy, IPS, or routing?
  • Does a response come back from the target system?
  • Is a different port or protocol used than expected?

If nothing is visible in the Log Viewer, Packet Capture is often the next step. It shows whether the problem lies before the firewall or if the firewall processes the traffic.

If the focus is on drops, Violation, Rule ID, NAT ID, or dropped packets, Analyse Dropped Packets on Sophos Firewall is also suitable.

You can find the tool under:

Diagnostics > Packet capture

Packet Capture opens directly in WebAdmin. Depending on the SFOS version and browser display, it appears as a separate diagnostic window within the WebAdmin view.

Before opening, the test case should already be determined. The tool is most effective when reproducing a single flow rather than deciding what to look for during the capture.

Clarify Before StartingExample
Source IPClient, Server, VPN Client, or Firewall Interface
DestinationTarget IP, published address, or FQDN with currently resolved IP
ServiceICMP, TCP 443, UDP 500, NTP, or specific application port
Expected DirectionLAN to WAN, WAN to DMZ, VPN to LAN, or Client to Firewall
Expected DecisionForwarded, Consumed, Generated, Violation, DNAT/SNAT, or Security Feature Hit

After opening, you should first use Configure and set the capture filter before triggering the test. If the destination, CDN target, or NAT view is still unclear, an initial filter on the source IP is often better than a too narrow filter with the wrong destination address. After the reproduced test, the capture should be stopped again to prevent the view from filling up with background traffic.

Log Viewer, Packet Capture, or tcpdump?

Log Viewer, Packet Capture in WebAdmin, and tcpdump answer different questions. Using the wrong tool first often leads to searching in the wrong place.

ToolPrimarily Shows
Log ViewerWhich firewall rule, NAT rule, web policy, application control, IPS, or SSL/TLS inspection decided
Packet Capture in WebAdminWhether individual packets arrive, are forwarded, consumed, generated, or dropped
tcpdump via SSHLonger captures, PCAP files, support cases, and very targeted CLI filters

A good example is a ping. In the Log Viewer, you often see only one entry or a summarised decision about the connection. In Packet Capture, you see the individual ICMP packets: Echo Request to the target and Echo Reply back. Windows sends four ICMP Echo Requests by default with ping. Therefore, you expect several request and reply packets in Packet Capture. If only the requests are visible but no replies come back, that’s a different problem than if no request reaches the firewall at all.

In practice, this means:

  • Log Viewer answers: Which rule or module decided?
  • Packet Capture answers: Did the packets really arrive and what path do they take?
  • For routing, NAT, VLAN, gateway, or return path issues, Packet Capture is often more informative.
  • For web filter, application control, IPS, or SSL/TLS inspection decisions, you also need the Log Viewer.
  • For captures that go to Sophos Support or external analysis partners, tcpdump is usually better than a screenshot from WebAdmin.

Prepare Capture

Narrow Down Before Starting

Packet Capture should not be started unfiltered. In productive networks, this otherwise generates a lot of data, and the output becomes confusing.

⚠️ Packet Capture should never run as a broad continuous capture on productive firewalls. A narrow filter, a short test, and a clear timing reduce data volume, data protection risk, and misinterpretations.

You should note in advance:

  • Source IP
  • Destination IP or FQDN
  • Protocol
  • Source Port, if relevant
  • Destination Port
  • Interface or Zone
  • Time of the test
  • Affected application
  • Expected firewall rule or NAT rule, if known
  • Expected result: allowed, blocked, DNAT, SNAT, VPN, web policy, or IPS

For a web test, the narrowing could look like this:

FieldExample
Source IP172.16.10.25
Destination93.184.216.34
ProtocolTCP
Destination Port443
Expected DirectionLAN to WAN

In practice, you should always reproduce only one test case at a time. Multiple parallel changes to firewall rule, NAT, routing, and client configuration make the capture output difficult to evaluate. If the test concerns a user problem, you should also note the logged-in user, the affected device, and the exact time.

Configure Capture Filter

Use Configure to set a filter as narrow as possible.

Typical filters:

  • Source IP of the client
  • Destination IP of the server
  • Destination Port
  • Protocol TCP, UDP, or ICMP
  • Interface

If you don’t know the target server, you can first filter only by the source IP. If too many packets are visible afterward, narrow it down further.

Sophos Firewall uses Berkeley Packet Filter syntax, or BPF. The capture filter determines which packets are written to the capture buffer at all. Therefore, it should be set cleanly before the test.

Typical BPF examples:

TargetBPF Example
Specific Hosthost 10.10.10.1
Specific Source IPsrc host 10.10.10.1
Specific Destination IPdst host 10.10.10.1
Specific Networknet 10.10.10.0
Specific Portport 443
Specific Destination Portdst port 443
Specific Host and Porthost 10.10.10.1 and port 443
ICMP/Pingproto ICMP
TCPproto TCP
UDPproto UDP

For a very targeted web test, a filter might look like this:

host 172.16.10.25 and host 93.184.216.34 and port 443

For a ping test, often this is sufficient:

host 172.16.10.25 and proto ICMP

If the Filter is Too Narrow

A narrow capture filter is important, but it must not hide the error. Especially with DNS, NAT, CDNs, and return paths, you should consciously decide whether to filter broadly enough first or immediately very precisely.

Typical pitfalls:

SituationBetter Filter Approach
Target is only known as FQDNFirst check DNS resolution or start with source IP and then narrow down to the visible target IP
Website uses CDN or multiple IP addressesDon’t use just a single old target IP, but observe the current test traffic
DNAT is being checkedDepending on the perspective, consider public target IP, internal server, and port
SNAT or MASQ is involvedMentally separate source IP before NAT and translated source on the out interface
Response packets are missingChoose a filter that keeps both directions visible
User or application problemFirst set source IP and time narrowly, then narrow down port, target, or rule ID

For the first run, a filter on the source IP is often more sensible than a too precise filter with the wrong destination IP. Once the relevant flow is visible, you can filter more narrowly in the second run. For NAT errors, you should also check whether you are currently viewing before or after the translation.

In the WebAdmin view, you see the active BPF string above the packet list after saving. The first screenshot shows the filter configuration, the second screenshot the result list with the active filter.

Sophos Firewall Packet Capture Configure capture filter with BPF String for Host and Port 443
Sophos Firewall - Configure Packet Capture Filter with BPF String
Sophos Firewall Packet Capture result list with active BPF filter and captured TCP packets
Sophos Firewall - Packet Capture with active BPF filter and captured packets

⚠️ PCAP data can contain IP addresses, hostnames, protocol details, and depending on the protocol, also payload data. Captures should only be shared with people or partners who are allowed to see this data.

Run Capture

Start and Reproduce Capture

  1. Set filter.
  2. Turn on Packet Capture via the slider.
  3. Reproduce the problem specifically.
  4. Stop the capture again.
  5. Analyse the results.
  6. Clear the capture when starting a new test.

Sophos Firewall shows the status and the buffer:

DisplayMeaning
Trace OnPacket Capture is running
Trace OffPacket Capture is off
Buffer sizeSize of the capture buffer, 2048 KB in Sophos documentation
Buffer usedCurrently used buffer

If the buffer is full, the capture stops automatically. You must then clear it with Clear before recording again sensibly. Therefore, a narrow filter is important.

In the filter settings, you can also specify how many bytes per packet are captured. For many initial analyses, header information is sufficient. If more payload data is needed, you must capture more bytes, but keep data protection and buffer size in mind.

Interpret Output

Understand Important Columns

Packet Capture shows many fields. These are particularly important in practice:

FieldMeaning
TimeTime of the packet
In interfaceInterface on which the packet was received
Out interfaceInterface through which the packet exits
Source IPSource address
Destination IPDestination address
Packet typeProtocol or packet type
Ports [src, dst]Source and destination port
NAT IDMatching NAT rule
Rule IDMatching firewall rule
StatusPacket status
ReasonReason for drop or violation
Connection statusConnection status
Gateway IDUsed gateway
UsernameRecognised user
IPS policy IDApplied IPS policy
Application filter IDApplied application control policy

These fields are valuable because they bridge the gap between “rule looks correct” and “traffic actually flows this way.”

Through Show additional properties or the detail view, you can see additional information depending on the version, such as Connection ID, Web filter ID, Application ID, Web category ID, Gateway ID, Username, or other policy IDs. These details help when a packet is processed not only by a firewall rule but also by web, application control, IPS, or other modules.

Correctly Interpret Status

StatusMeaning
IncomingPacket was received on an interface
ForwardedPacket was forwarded
ConsumedPacket is intended for the firewall itself
GeneratedPacket was generated by the firewall
ViolationPacket was dropped due to a policy violation

If you only see Incoming and no Forwarded, the packet likely gets stuck on the firewall. You should then check firewall rule, NAT, routing, and security features.

If Forwarded is visible but no response comes back, the problem often lies with the target system, return path, NAT, or a counterpart.

In a successful ping, you typically see packets in both directions. If Windows sends four pings, you see several ICMP Echo Requests from the client to the target and several Echo Replies back. If the replies are missing, check return route, target system, local firewall of the target system, NAT, or a counterpart. If the requests are already missing, check client, gateway, VLAN, switch port, or whether the traffic reaches the Sophos Firewall at all.

Correctly Read Consumed and Generated

Consumed and Generated are easily misinterpreted. These statuses do not automatically mean that a normal firewall rule is missing.

StatusTypical CaseWhat to Check Next
ConsumedPacket is intended for the Sophos Firewall itselfDevice Access, Local service ACL, service configuration, admin or user permission
GeneratedPacket was generated by the Sophos Firewall itselfSystem service, DNS, NTP, VPN, update, gateway monitoring, or firewall response

Examples of Consumed are accesses to WebAdmin, User Portal, VPN Portal, SSH, DNS, SNMP, IPsec, or SSL VPN of the firewall itself. Such traffic is not treated like normal transit traffic through a LAN-to-WAN or WAN-to-DMZ rule. If a packet shows Consumed in the capture, you should first clarify whether the client really intended to reach the firewall itself.

For these cases, Administration > Device access and Local Service ACL are more important than a normal firewall rule. Hardening these accesses is described in Secure Sophos Firewall Access: Configure Device Access Correctly.

Use Display Filter

The capture filter limits which packets are recorded. The Display filter filters only the already recorded view. This is useful if you intentionally started the capture a bit broader and then only want to display certain packets.

In the display filter, you can filter by fields such as:

  • Interface name
  • Ethernet type, such as IPv4, IPv6, or ARP
  • Packet type
  • Source IP and Source port
  • Destination IP and Destination port
  • Reason
  • Status
  • Rule ID
  • User
  • Connection ID

For troubleshooting, Status, Reason, Rule ID, Source IP, Destination IP, and Destination port are particularly helpful. If there are many packets in the capture, you can quickly reduce to the relevant part without having to restart the test immediately.

Read NAT in Packet Capture

With NAT, you must note that a packet looks different before and after NAT. Packet Capture can make NAT ID, Rule ID, and the changed addresses visible.

For NAT problems, you should check:

  • Do you see the packet with the original address?
  • Do you see the packet after translation?
  • Is the expected NAT ID displayed?
  • Does the packet go over the expected out interface?
  • Does a response come back?

For DNAT, additionally: The firewall rule uses the target zone after NAT, but the target IP before NAT. This initially looks unusual.

More on this: Understanding NAT on Sophos Firewall: SNAT, DNAT, MASQ, PAT.

Combine Packet Capture and Log Viewer

The best procedure is:

  1. Open Log Viewer.
  2. Start Packet Capture with a narrow filter.
  3. Reproduce the test.
  4. Check in Packet Capture whether packets arrive and proceed.
  5. Check in Log Viewer which rule or module decided.
  6. Switch to the appropriate log file if necessary.

The Log Viewer shows, for example, firewall, web, SSL/TLS inspection, IPS, or application control events. Packet Capture, on the other hand, shows the packet flow at the interface level.

Especially with ping or simple TCP connections, the combination is important. The Log Viewer can only show that a connection was allowed or blocked. Packet Capture additionally shows whether the response packets return, whether NAT applies, whether the correct out interface is used, and whether the return path is correct.

Typical Analysis Cases

Client cannot reach the internet: Set capture on source IP and TCP 443. If no packet arrives, check client, VLAN, gateway, or switch. If the packet arrives but does not exit, check firewall rule, NAT, or routing.

DNAT does not work: Set capture on public target IP and external port. If no packet arrives, check provider router, port forwarding, cloud security group, or WAN. If the packet arrives but does not go to the internal server, check DNAT rule and firewall rule.

VPN traffic does not flow: Set capture on tunnel interface, XFRM interface, or relevant source/target networks. Also check strongswan.log, charon.log, or xfrmi.log.

Web filter blocks unexpectedly: In Packet Capture, you usually only see the packet flow. The decision itself is better checked in the Log Viewer under web, application control, or SSL/TLS inspection.

Small tests work, large transfers hang: Set capture on the affected client and target and watch for retransmits, missing responses, or noticeable packet sizes. If ping, login, or small HTTP requests work, but larger downloads, RDP, VoIP, or VPN applications hang, you should also check MTU, MSS, PPPoE, VPN overhead, and fragmentation. The procedure is in Check MTU and MSS on Sophos Firewall for VPN Issues.

Typical Misinterpretations

Packet Capture shows a lot, but not always what you first expect. Some misinterpretations are particularly common in support cases.

ObservationDo Not Immediately ConcludeBetter Check
Packet is IncomingFirewall is to blameIs there Forwarded, Consumed, Violation, or a matching rule decision afterward?
Packet is ForwardedConnection must workCheck response packet, return route, target system, and local firewall of the target system
NAT ID is emptyNAT is wrongNot all traffic needs NAT; first check expected NAT design
Rule ID is unexpectedThe desired rule is defectiveCheck rule order, zones, objects, user matching, and rule group
No packets visibleFirewall blocksCheck filter, interface, client gateway, VLAN, switch port, and upstream devices
Only requests visibleOutbound rule is not enoughCheck return path, NAT, counterpart, target firewall, and asymmetric routing

If Packet Capture shows an unexpected Rule ID, you should not immediately change multiple rules. It is better to first compare with the Log Viewer and the rule position. For systematic matching, Check Causes for Sophos Firewall Rule Not Matching is suitable.

Limits, Data Protection and Sharing

Data Protection and Sharing of Captures

Packet capture data is operational data. Even if only headers are often visible, they can reveal internal IP addresses, public targets, usernames, hostnames, ports, protocols, and communication relationships. With unencrypted protocols, payload data can also be visible.

Before sharing, you should check:

  • Does the capture contain customer names, internal hostnames, or public IP addresses?
  • Are users, systems, or applications recognisable?
  • Is the recipient authorised to see this information?
  • Is a screenshot of the relevant lines sufficient, or is a PCAP file really needed?
  • Does the capture need to be shortened or anonymised beforehand?

For support cases, a targeted tcpdump capture with a clean filter is often better than a broad WebAdmin capture. If log files are also needed, Secure Sophos Firewall Logs for Support and Analysis helps.

When tcpdump is Better

The WebAdmin Packet Capture is ideal for quick analyses directly in the browser. You quickly see whether packets arrive, are forwarded, consumed, generated, or dropped. For an initial narrowing down, this is usually the right start.

tcpdump is better when the capture is needed not just as a screen view but as an analysable file or as a longer technical trace.

SituationBetter ToolWhy
Short test with visible Rule ID, NAT ID, and statusWebAdmin Packet Capturedirectly in WebAdmin, well combinable with Log Viewer
PCAP file for Wireshark, Sophos Support, or external analysistcpdumpwrites a file that can be cleanly examined later
Sporadic error that cannot be reproduced in a few secondstcpdumpcan run longer in a targeted manner, but should be limited
Very precise filters on hosts, ports, protocols, or interface comparisontcpdumpCLI BPF filters are more flexible and reproducible
Unclear policy or NAT decisionWebAdmin Packet Capture plus Log Viewertcpdump does not show Sophos-specific Rule ID or NAT ID

The most important difference: tcpdump shows packets but no Sophos-specific decision. If you need to know which firewall rule, NAT rule, web policy, IPS policy, or SSL/TLS inspection rule was involved, you still need Log Viewer, WebAdmin Packet Capture, or the appropriate log file.

Before tcpdump, SSH or Advanced Shell should be consciously enabled. The capture should be narrowly filtered, time-limited, and removed after analysis. A broad PCAP on a productive firewall can quickly contain sensitive data and unnecessarily much background traffic.

More on this: Sophos Firewall tcpdump: Capture Packets via CLI.

Checklist

  • Note test case with source, destination, port, protocol, and time.
  • Know expected firewall rule and NAT rule, if possible.
  • Set capture filter narrowly.
  • For DNS, NAT, or CDN targets, check if the filter really captures both directions.
  • Reproduce only one test case at a time.
  • Stop Packet Capture after the test.
  • Consciously distinguish Incoming, Forwarded, Consumed, Generated, and Violation.
  • Compare Rule ID and NAT ID with Log Viewer.
  • Check return path, NAT, target system, and counterpart if response is missing.
  • Check MTU/MSS, fragmentation, and VPN overhead for hanging large transfers.
  • Check captures for sensitive data before sharing.
  • Use tcpdump for longer captures or PCAP files.

FAQ

When should you use Packet Capture on Sophos Firewall?

Packet Capture is useful when the actual packet flow is unclear: Does traffic arrive, is it forwarded, dropped, or does it remain on the firewall? For pure policy decisions, the Log Viewer is often sufficient first.

What is the difference between Capture Filter and Display Filter?

The Capture Filter decides which packets are recorded. The Display Filter only filters the already captured display. For productive tests, the Capture Filter should be set as narrowly as possible.

Why do you only see Incoming in Packet Capture but no Forwarded?

Then the packet was received but not forwarded. Typical causes are firewall rule, NAT, routing, security feature, wrong zone, or a packet intended for the firewall itself.

What does Consumed mean in Packet Capture?

Consumed means that the packet is intended for the Sophos Firewall itself. You should then check Device Access, Local Service ACL, and the affected firewall service, not just normal firewall rules.

When is tcpdump better than Packet Capture in WebAdmin?

tcpdump is better for longer captures, PCAP files, support cases, very precise CLI filters, and analyses that are later evaluated in Wireshark or with Sophos Support.

Can you run Packet Capture unfiltered?

Technically, this is possible, but usually not a good idea in productive environments. Without a narrow filter, a lot of data is generated, the buffer quickly fills up, and sensitive communication data is unnecessarily captured.

Why does Packet Capture not see any packets despite the correct test?

Often the filter is too narrow or does not match the current view of the firewall. With FQDNs, CDN targets, NAT, DNAT, or asymmetric return path, you should first check with source IP and time and then narrow down step by step.