PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
The drop-packet-capture is a packet capture tool that allows the interception and capture of packets dropped through a network interface. This will help you check the packets dropped by the Sophos Firewall. The drop-packet-capture prints out the headers of packets on a network interface that matches the boolean expression and has additional information related to the policy applied in order the packet to be dropped in the first place.
This article describes the steps to use drop-packet-capture commands in Sophos Firewall CLI to monitor dropped packets.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Login to the Command Line Interface (CLI) and choose option 4. Device Console.
How to view traffic of a...
drop-packet-capture 'host <ipaddress>'
drop-packet-capture 'host 10.10.10.1'
specific source host
drop-packet-capture 'src host <ipaddress>'
drop-packet-capture 'src host 10.10.10.1'
specific destination host
drop-packet-capture 'dst host <ipaddress>'
drop-packet-capture 'dst host 10.10.10.1'
drop-packet-capture 'net <network address>'
drop-packet-capture 'net 10.10.10'
specific source network
drop-packet-capture 'src net <network address>'
drop-packet-capture 'src net 10.10.10'
specific destination network
drop-packet-capture 'dst net <network address>'
drop-packet-capture 'dst net 10.10.10'
drop-packet-capture 'port <port-number>'
drop-packet-capture 'port 21'
specific source port
drop-packet-capture 'src port <port-number>'
drop-packet-capture 'src port 21'
specific destination port
drop-packet-capture 'dst port <port-number>'
drop-packet-capture 'dst port 21'
specific host for the particular port
drop-packet-capture 'host <ipaddress> and port <port-number>'
drop-packet-capture 'host 10.10.10.1 and port 21'
the specific host for all the ports except SSH
drop-packet-capture 'host <ipaddress> and port not <port-number>'
drop-packet-capture 'host 10.10.10.1 and port not 22'
drop-packet-capture 'proto ICMP' drop-packet-capture 'proto UDP' drop-packet-capture 'proto TCP' drop-packet-capture 'arp'
drop-packet-capture 'proto ICMP'
drop-packet-capture 'proto UDP'
drop-packet-capture 'proto TCP'
drop-packet-capture interface <interface>
drop-packet-capture interface PortB
specific port of a particular interface
drop-packet-capture interface <interface> 'port <port-number>'
drop-packet-capture interface PortB 'port 21'
Below is an example of analyzing drop-packet-capture output for host 192.168.37.10:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.