11 January 2013

Sophos UTM How To Sniff The Traffic Directly On The Firewall Using tcpdump and Wireshark

Open a SSH connection to the Astaro Gateway using Putty

Login via SSH as “loginuser” using putty.

Elevate your privileges using the command “su -“

Before dumping the packet capture to a file, check the command syntax.

Now redirect the tcpdump output to a file using:

 tcpdump -i eth0 src -w /var/log/packetdump.sniff

Note: with the option –s 1500 you will capture the full packet data

Press Ctrl-C to stop the packet capture

Use WinSCP (free) to get the file capture from the Astaro to your PC

Browse to the /var/log directory and copy the file to c:\temp

Now you can open the file with Wireshark (Etherreal) in order to decode the packets.

In order to delete the capture from the Astaro HD issue the “rm –f –r /var/log/packetdump.sniff” command from the ssh session. WinSCP is logged without the administrative privileges and can’t delete files.

No comments:

Post a Comment