11 January 2013

Sophos UTM How To Sniff The Traffic Directly On The Firewall Using tcpdump and Wireshark





Open a SSH connection to the Astaro Gateway using Putty





Login via SSH as “loginuser” using putty.





Elevate your privileges using the command “su -“





Before dumping the packet capture to a file, check the command syntax.


Now redirect the tcpdump output to a file using:

 tcpdump -i eth0 src 192.168.1.2 -w /var/log/packetdump.sniff

Note: with the option –s 1500 you will capture the full packet data







Press Ctrl-C to stop the packet capture







Use WinSCP (free) to get the file capture from the Astaro to your PC






Browse to the /var/log directory and copy the file to c:\temp








Now you can open the file with Wireshark (Etherreal) in order to decode the packets.







In order to delete the capture from the Astaro HD issue the “rm –f –r /var/log/packetdump.sniff” command from the ssh session. WinSCP is logged without the administrative privileges and can’t delete files.





No comments:

Post a Comment