How to do a Tcpdump Filedump and retrieve it by FTP

The purpose of this post is to inform others of how to pull the Pcap file off've the XG until the https://<appliance ip>/documents/tcpdump.pcap issue is resolved.

Any items italicised and in quotes should be typed directly into the console without quotes.

This is a back to braces guide which I discovered while working with Sophos Support on another issue.

  1. Firstly, access the console of the XG firewall either by a Putty session or via the Admin Drop-down > Console and logging in. (I prefer Putty because it's better than the web console and more powerful, but the web console is not without it's on the spot benefits!)
    1. If you are logging in by Putty, then the login and username with be the admin username and password you have chosen.
  2. First you need to make a tcpdump filedump, now there would be two ways of doing this, going to basic console and just typing "tcpdump filedump" or going to advanced shell and doing a "tcpdump -w". Now the latter of the two doesn't seem to work because of permissions and a variety of other reasons, so we're going to use the basic shell for the purposes of this capturing the packets to a file.
  3. Press option 4 for the "Device Console".
  4. Once the console has loaded, to capture packets you can capture them all or only from a specific interface and dump them to a file, to do this, it's "tcpdump filedump" to capture all interfaces packets.
    1. To capture from a specific interface/port on the XG, you don't do the normal "-i eth0", you do it via the port designations given in System > Network > Interfaces, i.e. "tcpdump interface port1". The -v parameter just means verbose, you can type -v or verbose and tells you a count of the packets captured.

  5. Once you are satisfied you've captured the packets for your test, press CTRL + C to end the capture then type "exit".
  6. We now need to go to the advanced shell, from the previous step we should back in the SFOS menu. To get to the advanced shell we need to pick Option 5 (Device Management) then Option 3 (Advanced Shell). 
  7. Now we are in the advanced shell, we can now navigate to where the files are stored. They are stored in \tmp\data and to get there we need to do the following: Type "cd /tmp/data" then press enter to get to the correct directory.
  8. Now if you type "ls" (L and S) and press enter, you should see a pretty little tcpdump.pcap waiting for you
  9. There are two ways (I am aware of) to transfer the file by FTP off've the XG and I will explain both with their pros and cons
    1. FTPPUT
      1. This is a nice simple clean command. Example usage is as follows:
        1. "ftpput -v -u [targetusername] -p [targetuserpassword] -P [portnumber] <hostnameorip> [remotelocation] [localfile]". 
      2. So connecting to my local fileserver on 172.16.16.50 with adminFTP and password of tharg going to the /Public folder on special port 8000 would be as follows:
        1. "ftpput -v -u adminFTP -p tharg -P 8000 172.16.16.50 /Public tcpdump.pcap". 
      3. If you want to rename the file on the target ftp server, you can add to the destination folder a filename like "/Public/testonnotification.pcap" and it will change the filename in the stream. -v is verbose, tells you what it's doing.
      4. The pros of ftpput are that it's quick, it's dirty and fast.
      5. The cons of ftpput are that it cannot do TLS and can only do a PLAIN login so secured FTP servers are way out unless you make an unencrypted, unsecured FTP server for the sole purpose of dropboxing. On an unsecured FTP server on my QNap, I was getting issues where apparently the filename is not allowed, this could be down to the way it does encoding as well, maybe it's non-standard or otherwise.
      6. SF01V_XV01_SFOS 15.01.0# ftpput -v -u uname -p pwd x.x.x.x ftp_directory/filename.pcap  data/tcpdump.pcap

        x.x.x.x = FTP server IP address
        uname = FTP username
        pwd = FTP password
        ftp_directory = Desired FTP directory
        filename.pcap = Desired file name to store PCAP
        1. Kindly suggested by Sachin, thank you!

    2. cURL command
      1. The cURL command is an incredibly powerful command that can support a whole shebang of protocols and can support authentication, encryption, certificates and more! Shame it doesn't make coffee though. The way we're using cURL is only a small iota of it's capability, read more on it here. Plus it can use both secure authentication and PLAIN and can try for both!
      2. A sample connection to a non-TLS FTP server would be as follows:
        1. "curl -v -T tcpdump.pcap username:password@ip_or_fqdn_of_target/.../". -T is upload file and remember it is case sensitive, -t is telnet!

      3. A sample connection to a TLS FTP server using cURL would be as follows:
        1. "curl -v -T tcpdump.pcap -u username:password  ftps://ip_or_fqdn_of_target:FTPPort/target_folder/". 
        2. I have not as of yet got this fully working and seems to fail setting the certificate verification locations. so I cannot right now say yes it can do FTP over TLS/SSL and someone smarter than me in this area I hope can shed some light or come up with a workaround and I will credit and add to this guide. There are other methods of doing FTP over TLS/SSL, again  those with more knowledge than I, please chime in so we can get a full guide :)
      4. An example of connecting to a standard FTP server (not explicit TLS/SSL) on 172.16.16.50 with adminFTP and password of tharg going to /Public on standard FTP port will be as follows:
        1. "curl -v -T tcpdump.pcap adminFTP:tharg@172.16.16.50/Public". You can also specific a target filename by changing /Public to "/Public/yaypackets.pcap".
      5. Not many cons to cURL but it's very complex and there's lots of ways to do the same thing. But at least it will work and you have more control about login methodology and similar. I think it's shortcomings will be how it can actually use certificate resources from the XG, it may not be able to which may be problematic for ftps.

  10. Check your FTP server and you should have it there ready to be used in Wireshark or other packet analysis software.

So there you have it, this is a short guide which I hope is informative enough to help the people here grab the Tcpdumps for deeper analysis of issues in the XG.

Please feel free to comment and any additions and changes that are requested/suggested will be taken into consideration, acted upon and credited.

  • Hi Emile,


    Thanks for the post.

    I will also post a suggestion to this for reference.

    SF01V_XV01_SFOS 15.01.0# ftpput -v -u uname -p pwd x.x.x.x ftp_directory/filename.pcap  data/tcpdump.pcap

    x.x.x.x = FTP server IP address
    uname = FTP username
    pwd = FTP password
    ftp_directory = Desired FTP directory
    filename.pcap = Desired file name to store PCAP

    Thanks

    Sachin Gurung

  • In reply to sachingurung:

    Hi Sachin,

    Thanks for your suggestion for password protected FTP servers using ftpput, I just couldn't get it to play ball!

    Entered in :)

    Cheers,

    Emile

  • When the issue with direct *.pcap file download will be solved?

  • In reply to MarekDalke:

    Hi Marek,

    For security, the feature to download pcap directly through a web request by appending it with the firewall IP address is disabled and I guess it will be a tough call to incorporate it again in future. There are possibilities to change the backend location of the pcap file and download the pcap through the web browser. You can check the steps below but, this is only recomended to the home user any backend changes on the licensed device should come from support as it voids guarantee.

    mount -w -o remount /

    cp /tmp/data/tcpdump.pcap /usr/share/userportal/tcpdump.pcap

    Download file in Browser from path https://<UTMIP:Port>/tcpdump.pcap

    For example : -  https://10.201.208.27:4444/tcpdump.pcap

    rm -rf /usr/share/userportal/tcpdump.pcap

    mount -r -o remount /

    Hope that helps :)

  • I would like to add the suggestion of using SCP to export the file over SSH.

     

    I did find that trying to use scp without a little bit of "trickery" does present a small problem, as the scp binary tries to find ssh in the wrong place

     

    from the command line on the XG:

     

    #scp -S /usr/bin/ssh sourcefile.pcap user@host:destfile.pcal

     

    works like a charm

  • Hi,

    one more suggestion, its not perfect but it do the job. Use "nc"

    on localhost or vm, use nc to open port

    (for fast inspection)

    nc -l ip.address 9999 -p 9999 

    or write the output to pcap

    nc -l ip.address 9999 -p 9999 > traffic.pcap 

     

     

    on XG send the traffic, pipe tcpdump output to nc

    tcpdump -i Port(ABCD) not host your.ip and not host remote.host.ip | nc remote.host -p 9999 9999

  • In reply to FrankBarton:

    We can also copy files saved on the router by initiating scp from another linux server. E.g:

    scp admin@router_ip:/tmp/data/tcpdump.pcap . 
    or better
    scp -p admin@router_ip:/tmp/data/tcpdump.pcap .

    which will keep the original creation time of the files.
    This is very useful when we need to analyze router logs using other tools than those available in SFOS. Or simply archive them cyclically.