Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: How to TCPdump

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


This Recommended Read goes over how to TCPdump on the Sophos Firewall

SSH to Sophos Firewall

First of all, get an SSH Session to your Sophos Firewall.

You'll have to use the "admin" to log in.

Switch to Advanced Shell and click 5.Device Management

Then click 3.Advanced Shell

Perform TCPdump

We can now perform a tcpdump. 

Refer to the man page of tcpdump for all kinds of filters.

But here are my "most used":

  • tcpdump -ni any 

You’ll see all the traffic on all Interfaces with all IPs.

I can't recommend this because you’ll see the SSH Traffic as well. 

Filter the traffic with port PORTNUMBER and/or host IP_Address. Basically, you can use all kinds of logical connectives like and, or, nor and so on.

  • tcpdump -ni any host and port 443 

You can also specify the port by replacing any with the wanted interface (Port3). 

  • tcpdump -ni Port3 host and port 443 

For better understanding, you can write the dump into a file with -b -w /tmp/dump.pcap

Download dump

Use PSCP to download this file.

And you can open this file with Wireshark for troubleshooting.

Filter to see all Pings

Let's get back to the Shell version.

If you want to see all pings, just use: 

  • tcpdump -ni any icmp 

In my case, using a bridge, I will see the packets 3 times. 

The packet arrives on Port1, will be transferred to br0, and leaves the appliance on Port2 with my MASQ ip. 

Keep in mind, Sophos Firewall has to NAT the traffic, etc. pp. So basically won’t be displayed on the WAN port and so on. Feel free to play with those filters in tcpdump and you’ll find nearly everything. 

Horizontal Lines, Table of Contents
[edited by: emmosophos at 8:41 PM (GMT -8) on 22 Dec 2023]