How to Monitor Packet Flow in Sophos Firewall Using the CLI Console

Applicable Version: 15.01.0 onwards Overview You can monitor packet flow from the Sophos Firewall (SF) CLI using the tcpdump command. tcpdump is a packet capture tool that allows the interception and capture of packets passing through a network interface. This makes it useful for understanding and troubleshooting network layer problems. It helps in monitoring packet flow coming from the interface, the response for each packet, packet drop, and ARP information. tcpdump prints out the headers of packets on a network interface that match the Boolean expression. To capture packets using the Web Admin Console, refer to the article How to Monitor Traffic using Packet Capture Utility in the Web Admin Console . Note : This utility is not of much help in identifying and troubleshooting problems related to Application. Command Description Use tcpdump from Sophos Firewall CLI. How to view traffic of a... tcpdump command Example specific host tcpdump ’host ’ tcpdump ‘host 10.10.10.1’ specific source host tcpdump ’src host ’ tcpdump ‘src host 10.10.10.1’ specific destination host tcpdump ’dst host ’ tcpdump ‘dst host 10.10.10.1’ specific network tcpdump ’net ’ tcpdump ‘net 10.10.10’ specific source network tcpdump ’src net ’ tcpdump ‘src net 10.10.10’ specific destination network tcpdump ’dst net ’ tcpdump ‘dst net 10.10.10’ specific port tcpdump ’port ’ tcpdump ‘port 21’ specific source port tcpdump ’src port ’ tcpdump ‘src port 21’ specific destination port tcpdump ’dst port ’ tcpdump ‘dst port 21’ specific host for the particular port tcpdump ‘host and port ’ tcpdump ‘host 10.10.10.1 and port 21’ the specific host for all the ports except SSH tcpdump ‘host and port not ’ tcpdump ‘host 10.10.10.1 and port not 22’ specific protocol tcpdump ’proto ICMP’ tcpdump ’proto UDP’ tcpdump ’proto TCP’ tcpdump ‘arp’ particular interface tcpdump interface tcpdump interface PortB specific port of a particular interface tcpdump interface ‘port ’ tcpdump interface PortB ‘port 21’ Note: Expressions can be combined using the logical operators AND or OR and NOT . Make sure to use different combinations within a single quote. Analyzing TCPDUMP Output console> tcpdump 'port 21' tcpdump: Starting Packet Dump. Document Version: 1.0 - 07 September, 2015 123567