The purpose of this post is to inform others of how to pull the Pcap file off've the XG until the https://<appliance ip>/documents/tcpdump.pcap issue is resolved.
Any items italicised and in quotes should be typed directly into the console without quotes.
This is a back to braces guide which I discovered while working with Sophos Support on another issue.
So there you have it, this is a short guide which I hope is informative enough to help the people here grab the Tcpdumps for deeper analysis of issues in the XG.
Please feel free to comment and any additions and changes that are requested/suggested will be taken into consideration, acted upon and credited.
Thanks for the post.
I will also post a suggestion to this for reference.
SF01V_XV01_SFOS 15.01.0# ftpput -v -u uname -p pwd x.x.x.x ftp_directory/filename.pcap data/tcpdump.pcap x.x.x.x = FTP server IP address uname = FTP username pwd = FTP password ftp_directory = Desired FTP directory filename.pcap = Desired file name to store PCAP
Thanks for your suggestion for password protected FTP servers using ftpput, I just couldn't get it to play ball!
Entered in :)
When the issue with direct *.pcap file download will be solved?
For security, the feature to download pcap directly through a web request by appending it with the firewall IP address is disabled and I guess it will be a tough call to incorporate it again in future. There are possibilities to change the backend location of the pcap file and download the pcap through the web browser. You can check the steps below but, this is only recomended to the home user any backend changes on the licensed device should come from support as it voids guarantee.
mount -w -o remount /
cp /tmp/data/tcpdump.pcap /usr/share/userportal/tcpdump.pcap
Download file in Browser from path https://<UTMIP:Port>/tcpdump.pcap
For example : - https://10.201.208.27:4444/tcpdump.pcap
rm -rf /usr/share/userportal/tcpdump.pcap
mount -r -o remount /
Hope that helps :)
I would like to add the suggestion of using SCP to export the file over SSH.
I did find that trying to use scp without a little bit of "trickery" does present a small problem, as the scp binary tries to find ssh in the wrong place
from the command line on the XG:
#scp -S /usr/bin/ssh sourcefile.pcap user@host:destfile.pcal
works like a charm
one more suggestion, its not perfect but it do the job. Use "nc"
on localhost or vm, use nc to open port
(for fast inspection)
nc -l ip.address 9999 -p 9999
or write the output to pcap
nc -l ip.address 9999 -p 9999 > traffic.pcap
on XG send the traffic, pipe tcpdump output to nc
tcpdump -i Port(ABCD) not host your.ip and not host remote.host.ip | nc remote.host -p 9999 9999
We can also copy files saved on the router by initiating scp from another linux server. E.g:
scp admin@router_ip:/tmp/data/tcpdump.pcap . or better scp -p admin@router_ip:/tmp/data/tcpdump.pcap .
which will keep the original creation time of the files. This is very useful when we need to analyze router logs using other tools than those available in SFOS. Or simply archive them cyclically.
Tools like "mobaXterm" have a browser based Download tool integrated.
pscp (Putty SCP) would also work: CMD -> pscp.exe -scp admin@IP:/tmp/File.pcap ./