Shopping Cart

No products in the cart.

Sophos Firewall – Collect logs with TCPDump for analysis

TCPDump is a powerful network packet analysis tool that is used to record and analyze the data traffic running over a network interface. It provides the ability to filter specific packets and save them to an external location. This is particularly useful when in-depth analysis is required or when you need to forward data to Sophos Support for troubleshooting.

Using TCPDump on the Sophos Firewall

To use TCPDump on the Sophos Firewall, you first connect to the firewall via SSH and then use specific commands to capture and store the desired traffic.

Example application: Collect logs for 3CX PBX

Let’s imagine that the VoIP traffic from a 3CX PBX system (with the IP address 192.168.100.220) is to be recorded in order to diagnose problems in connection with the network traffic.

Recording command

tcpdump -i any -nn host 192.168.100.220 -w /tmp/voip.pcap &

The individual parameters have the following benefits:

  • -i any: This parameter ensures that all traffic running via all available interfaces is recorded.
  • -nn: This parameter deactivates the name resolution for host names and ports to speed up and simplify the output.
  • host 192.168.100.220: Data traffic from and to the specific IP address is filtered here.
  • -w /tmp/voip.pcap: This parameter specifies that the recorded packets are to be written to a file called voip.pcap in the /tmp directory.
  • &: This ensures that the command is executed in the background so that you can continue to access the command line.

Useful tcpdump parameters and examples

Limit parcel output to 50

tcpdump -c 50

Limit to network interface

sudo tcpdump -i eth1

Write output to a file in pcap format

sudo tcpdump -i wlan0 -p -w /tmp/tcpdump.pcap

Output of all of a specific IP

tcpdump host 51.154.9.190

Output packets between two hosts

tcpdump icmp and host 10.32.42.2 and host 192.168.20.23

Stopping the running job

To stop the running TCPDump process, use the following commands. This is important as otherwise the firewall collects so many logs that the memory becomes full.

Show active jobs:

jobs

Quit jobs

kill %1
kill %2
...

or

killall tcpdump

Depending on the number of running processes, you can execute several kill commands to ensure that all relevant TCPDump processes are terminated.

Analysis of the logs

Once the logs have been collected, they can be downloaded to a local computer with e.g: WinSCP or Cyberduck and analyzed with a tool such as Wireshark. Alternatively, the logs can be forwarded to Sophos Support for assistance with analysis and troubleshooting.

Summary

TCPDump is an essential tool for analyzing network traffic on the Sophos Firewall in detail. It enables the collection of specific log data that can be used for deeper analysis or support. By using the commands described above, TCPDump can be used efficiently and selectively.