{"id":161464,"date":"2024-09-03T10:34:50","date_gmt":"2024-09-03T09:34:50","guid":{"rendered":"https:\/\/www.avanet.com\/kb\/sophos-firewall-tcpdump-tool-logs-collect\/"},"modified":"2024-09-03T12:53:04","modified_gmt":"2024-09-03T11:53:04","slug":"sophos-firewall-tcpdump-tool-logs-collect","status":"publish","type":"kb","link":"https:\/\/www.avanet.com\/en\/kb\/sophos-firewall-tcpdump-tool-logs-collect\/","title":{"rendered":"Sophos Firewall &#8211; Collect logs with TCPDump for analysis"},"content":{"rendered":"\n<p><strong>TCPDump<\/strong> is a powerful network packet analysis tool that is used to record and analyze the data traffic running over a network interface.\nIt provides the ability to filter specific packets and save them to an external location.\nThis is particularly useful when in-depth analysis is required or when you need to forward data to Sophos Support for troubleshooting.  <\/p>\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Topics<\/h2><nav><ul><li class=\"\"><a href=\"#anwendung-von-tcp-dump-auf-der-sophos-firewall\">Using TCPDump on the Sophos Firewall<\/a><ul><li class=\"\"><a href=\"#beispielanwendung-logs-sammeln-fur-3-cx-pbx\">Example application: Collect logs for 3CX PBX<\/a><\/li><li class=\"\"><a href=\"#befehl-zur-aufzeichnung\">Recording command<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#nutzliche-tcpdump-parameter-und-beispiele\"><a href=\"#nutzliche-tcpdump-parameter-und-beispiele\">Useful tcpdump parameters and examples<\/a><\/a><ul><li class=\"\"><a href=\"#paketausgabe-auf-50-begrenzen\"><a href=\"#paketausgabe-auf-50-begrenzen\">Limit parcel output to 50<\/a><\/a><\/li><li class=\"\"><a href=\"#auf-netzwerk-interface-eingrenzen\"><a href=\"#auf-netzwerk-interface-eingrenzen\">Limit to network interface<\/a><\/a><\/li><li class=\"\"><a href=\"#ausgabe-in-eine-datei-schreiben-im-pcap-format\"><a href=\"#ausgabe-in-eine-datei-schreiben-im-pcap-format\">Write output to a file in pcap format<\/a><\/a><\/li><li class=\"\"><a href=\"#ausgabe-aller-einer-bestimmten-ip\"><a href=\"#ausgabe-aller-einer-bestimmten-ip\">Output of all of a specific IP<\/a><\/a><\/li><li class=\"\"><a href=\"#pakete-zwischen-zwei-hosts-ausgeben\"><a href=\"#pakete-zwischen-zwei-hosts-ausgeben\">Output packets between two hosts<\/a><\/a><\/li><li class=\"\"><a href=\"#stoppen-des-laufenden-jobs\">Stopping the running job<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#analyse-der-logs\">Analysis of the logs<\/a><\/li><li class=\"\"><a href=\"#zusammenfassung\">Summary<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2 class=\"wp-block-heading\" id=\"anwendung-von-tcp-dump-auf-der-sophos-firewall\">Using TCPDump on the Sophos Firewall<\/h2>\n\n<p>To use <strong>TCPDump<\/strong> on the Sophos Firewall, you first connect to the firewall via SSH and then use specific commands to capture and store the desired traffic.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"beispielanwendung-logs-sammeln-fur-3-cx-pbx\"><strong>Example application: Collect logs for 3CX PBX<\/strong><\/h3>\n\n<p>Let&#8217;s imagine that the VoIP traffic from a 3CX PBX system (with the IP address 192.168.100.220) is to be recorded in order to diagnose problems in connection with the network traffic.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"befehl-zur-aufzeichnung\">Recording command<\/h3>\n\n<pre class=\"wp-block-code\"><code>tcpdump -i any -nn host 192.168.100.220 -w \/tmp\/voip.pcap &amp;<\/code><\/pre>\n\n<p>The individual parameters have the following benefits:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>-i any<\/strong>: This parameter ensures that all traffic running via all available interfaces is recorded.<\/li>\n\n\n\n<li><strong>-nn<\/strong>: This parameter deactivates the name resolution for host names and ports to speed up and simplify the output.<\/li>\n\n\n\n<li><strong>host 192.168.100.220<\/strong>: Data traffic from and to the specific IP address is filtered here.<\/li>\n\n\n\n<li><strong>-w \/tmp\/voip.pcap<\/strong>: This parameter specifies that the recorded packets are to be written to a file called voip.pcap in the \/tmp directory.<\/li>\n\n\n\n<li><strong>&amp;:<\/strong> This ensures that the command is executed in the background so that you can continue to access the command line.<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"nutzliche-tcpdump-parameter-und-beispiele\">Useful tcpdump parameters and examples<\/h2>\n\n<h3 class=\"wp-block-heading\" id=\"paketausgabe-auf-50-begrenzen\">Limit parcel output to 50<\/h3>\n\n<pre class=\"wp-block-code\"><code>tcpdump -c 50<\/code><\/pre>\n\n<h3 class=\"wp-block-heading\" id=\"auf-netzwerk-interface-eingrenzen\">Limit to network interface<\/h3>\n\n<pre class=\"wp-block-code\"><code>sudo tcpdump -i eth1<\/code><\/pre>\n\n<h3 class=\"wp-block-heading\" id=\"ausgabe-in-eine-datei-schreiben-im-pcap-format\">Write output to a file in pcap format<\/h3>\n\n<pre class=\"wp-block-code\"><code>sudo tcpdump -i wlan0 -p -w \/tmp\/tcpdump.pcap<\/code><\/pre>\n\n<h3 class=\"wp-block-heading\" id=\"ausgabe-aller-einer-bestimmten-ip\">Output of all of a specific IP<\/h3>\n\n<pre class=\"wp-block-code\"><code>tcpdump host 51.154.9.190<\/code><\/pre>\n\n<h3 class=\"wp-block-heading\" id=\"pakete-zwischen-zwei-hosts-ausgeben\">Output packets between two hosts<\/h3>\n\n<pre class=\"wp-block-code\"><code>tcpdump icmp and host 10.32.42.2 and host 192.168.20.23<\/code><\/pre>\n\n<h3 class=\"wp-block-heading\" id=\"stoppen-des-laufenden-jobs\">Stopping the running job<\/h3>\n\n<p>To stop the running TCPDump process, use the following commands.\nThis is important as otherwise the firewall collects so many logs that the memory becomes full. <\/p>\n\n<p><strong>Show active jobs:<\/strong><\/p>\n\n<pre class=\"wp-block-code\"><code>jobs<\/code><\/pre>\n\n<p><strong>Quit jobs<\/strong><\/p>\n\n<pre class=\"wp-block-code\"><code>kill %1\nkill %2\n...<\/code><\/pre>\n\n<p>or<\/p>\n\n<pre class=\"wp-block-code\"><code>killall tcpdump<\/code><\/pre>\n\n<p>Depending on the number of running processes, you can execute several kill commands to ensure that all relevant TCPDump processes are terminated.<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"analyse-der-logs\">Analysis of the logs<\/h2>\n\n<p>Once the logs have been collected, they can be downloaded to a local computer with e.g: WinSCP or Cyberduck and analyzed with a tool such as Wireshark.\nAlternatively, the logs can be forwarded to Sophos Support for assistance with analysis and troubleshooting. <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"zusammenfassung\">Summary<\/h2>\n\n<p><strong>TCPDump<\/strong> is an essential tool for analyzing network traffic on the Sophos Firewall in detail.\nIt enables the collection of specific log data that can be used for deeper analysis or support.\nBy using the commands described above, TCPDump can be used efficiently and selectively.  <\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"template":"","format":"standard","kb_kategorie":[382],"class_list":["post-161464","kb","type-kb","status-publish","format-standard","hentry","kb_kategorie-sophos-firewall"],"blocksy_meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb\/161464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/users\/1"}],"wp:attachment":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media?parent=161464"}],"wp:term":[{"taxonomy":"kb_kategorie","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb_kategorie?post=161464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}