tcpdump is a packet capture tool that allows the interception and capture of packets passing through a network interface. This makes it useful for understanding and troubleshooting network layer problems. It helps in monitoring packet flow coming from the interface, the response for each packet, packet drop, and ARP information. tcpdump prints out the headers of packets on a network interface that match the boolean expression.
To capture packets using web admin console, refer to this article: Sophos Firewall: How to monitor traffic using packet capture utility in the GUI.
This article describes the steps to use tcpdump commands in Sophos Firewall CLI to monitor packet flow.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Login to the command line interface (CLI) and choose option 4. Device Console.
How to view traffic of a...
tcpdump ’host <ipaddress>’
tcpdump ‘host 10.10.10.1’
specific source host
tcpdump ’src host <ipaddress>’
tcpdump ‘src host 10.10.10.1’
specific destination host
tcpdump ’dst host <ipaddress>’
tcpdump ‘dst host 10.10.10.1’
tcpdump ’net <network address>’
tcpdump ‘net 10.10.10’
specific source network
tcpdump ’src net <network address>’
tcpdump ‘src net 10.10.10’
specific destination network
tcpdump ’dst net <network address>’
tcpdump ‘dst net 10.10.10’
tcpdump ’port <port-number>’
tcpdump ‘port 21’
specific source port
tcpdump ’src port <port-number>’
tcpdump ‘src port 21’
specific destination port
tcpdump ’dst port <port-number>’
tcpdump ‘dst port 21’
specific host for the particular port
tcpdump ‘host <ipaddress> and port <port-number>’
tcpdump ‘host 10.10.10.1 and port 21’
the specific host for all the ports except SSH
tcpdump ‘host <ipaddress> and port not <port-number>’
tcpdump ‘host 10.10.10.1 and port not 22’
tcpdump ’proto ICMP’ tcpdump ’proto UDP’ tcpdump ’proto TCP’ tcpdump ‘arp’
tcpdump ’proto ICMP’
tcpdump ’proto UDP’
tcpdump ’proto TCP’
tcpdump interface <interface>
tcpdump interface PortB
specific port of a particular interface
tcpdump interface <interface> ‘port <port-number>’
tcpdump interface PortB ‘port 21’
Below is an example of analyzing tcpdump output for port 80:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.