How to: TCPDump on XG

How to: Dump on XG

 

Hi everybody. 

I want to share my experience in dumping on XG with you. Most of the time, i have to write down, how it is done, so i will summarize it here. 

 

First of all, get a SSH Session to your XG. 

 

You have to use the "admin" to login.

 

Switch to Advanced Shell (Option 5.  and Option 3.). 

 

We can now perform a tcpdump. 

Refer to the man page of tcpdump for all kind of filter. 

http://www.tcpdump.org/manpages/tcpdump.1.html

 

 

 

But here are my "most used":

 

tcpdump -ni any 

You will see all the traffic on all Interfaces with all IPs.

I cannot recommend this because you will see the SSH Traffic as well. 

 

Filter the traffic with port PORTNUMBER and / or host IP_Address. Basically you can use all kind of logical connectives like and, or, nor etc. 

https://en.wikipedia.org/wiki/Logical_connective

 

 

tcpdump -ni any host 192.168.1.2 and port 443 

 

 

You can also specify the port with replacing any to the wanted interface (Port3). 

tcpdump -ni Port3 host 192.168.1.2 and port 443 

  

 

 

 

For better understanding, you can write the dump into a file with -b -w /tmp/dump.pcap

Use PSCP to download this file. 

https://community.sophos.com/kb/en-us/127647

And you can open this file with wireshark and use the power of wireshark to troubleshoot. 

 

 

 

 

Lets get back to the Shell version.

If you want to see all pings, just use: 

tcpdump -ni any icmp 

In my case, i am using a bridge, so i will see the packets 3 times. 

The packet arrives on Port1, will transferred to br0 and leaves the appliance on Port2 with my MASQ ip.  

 

 

 

Keep in mind, XG has to NAT the traffic etc. pp. So basically 192.168.1.1 will not be displayed on WAN port etc. Feel free to play with those filters in tcpdump and you will find nearly everything. 

 

Feel free to comment and i will add everything in more detail.