Sophos Firewall – Collect logs with TCPDump for analysis
TCPDump is a powerful network packet analysis tool that is used to record and analyze the data traffic running over a network interface. It provides the ability to filter specific packets and save them to an external location. This is particularly useful when in-depth analysis is required or when you need to forward data to Sophos Support for troubleshooting.
Topics
Using TCPDump on the Sophos Firewall
To use TCPDump on the Sophos Firewall, you first connect to the firewall via SSH and then use specific commands to capture and store the desired traffic.
Example application: Collect logs for 3CX PBX
Let’s imagine that the VoIP traffic from a 3CX PBX system (with the IP address 192.168.100.220) is to be recorded in order to diagnose problems in connection with the network traffic.
Recording command
tcpdump -i any -nn host 192.168.100.220 -w /tmp/voip.pcap &
The individual parameters have the following benefits:
- -i any: This parameter ensures that all traffic running via all available interfaces is recorded.
- -nn: This parameter deactivates the name resolution for host names and ports to speed up and simplify the output.
- host 192.168.100.220: Data traffic from and to the specific IP address is filtered here.
- -w /tmp/voip.pcap: This parameter specifies that the recorded packets are to be written to a file called voip.pcap in the /tmp directory.
- &: This ensures that the command is executed in the background so that you can continue to access the command line.
Useful tcpdump parameters and examples
Limit parcel output to 50
tcpdump -c 50
Limit to network interface
sudo tcpdump -i eth1
Write output to a file in pcap format
sudo tcpdump -i wlan0 -p -w /tmp/tcpdump.pcap
Output of all of a specific IP
tcpdump host 51.154.9.190
Output packets between two hosts
tcpdump icmp and host 10.32.42.2 and host 192.168.20.23
Stopping the running job
To stop the running TCPDump process, use the following commands. This is important as otherwise the firewall collects so many logs that the memory becomes full.
Show active jobs:
jobs
Quit jobs
kill %1
kill %2
...
or
killall tcpdump
Depending on the number of running processes, you can execute several kill commands to ensure that all relevant TCPDump processes are terminated.
Analysis of the logs
Once the logs have been collected, they can be downloaded to a local computer with e.g: WinSCP or Cyberduck and analyzed with a tool such as Wireshark. Alternatively, the logs can be forwarded to Sophos Support for assistance with analysis and troubleshooting.
Summary
TCPDump is an essential tool for analyzing network traffic on the Sophos Firewall in detail. It enables the collection of specific log data that can be used for deeper analysis or support. By using the commands described above, TCPDump can be used efficiently and selectively.