Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 4 answers
  • Subscribers 32 subscribers
  • Views 34485 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tcpdump capture redirected to a file doesn't work

David Babiano Rodriguez

Hi to all,

First, I don't know where I have got to post this... If the administrator wants to move this post, feel free to move it....

I need to do a packet capture with the tcpdump and analyze it with wireshark, when I try to run this command in the Advance Shell:

<tcpdump -w /tmp/data/tcpdump.pcap -ni ipsec0 host X.X.X.X>

the console return to me "Operation not allowed"...

Anybody know why??? 

I have red some post and kb in the community and ever the console returns the same... The appliance is an XG210 with the SFOS 16.5.MR1.

Thanks to all in advance

Regards,

David



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    If you are still stuck on this, I have found that tcpdump (+dependencies) from a reasonably recent Debian install will work. Also probably from other distros, Debian was just what I had on hand. I run it in a chroot in /tmp as you can't easily (and shouldn't!) copy the deps into the local system.

    My chroot looks like this:

    .
    ./etc
    ./etc/localtime (copy from /etc - not sure if this is required)
    ./lib64
    ./lib64/ld-linux-x86-64.so.2 (copy from /lib64)
    ./lib
    ./lib/libdl.so.2 (copy from Debian)
    ./lib/libpcap.so.0.8 (copy from Debian)
    ./lib/libcrypto.so.1.0.0 (copy from Debian)
    ./lib/libc.so.6 (copy from /lib)
    ./bin/tcpdump (copy from Debian)

    Do ldd `which tcpdump` under Debian to find the source path of the deps. I just dropped them in /lib, mostly. They can probably all go there - that /lib64 is from an earlier attempt.

    then do "chroot <chroot directory> /bin/tcpdump <params>" to run it.

    This can probably be improved upon. Some of the deps might not be required, or might be able to be copied from the local system rather than from Debian.

    I used scp to copy the files in from Debian, but found that scp on XG (16.05.4, probably other versions) is broken - it tries to look in /usr/local/bin for ssh for some reason. You need to run it like this to make it work:

    scp -S /usr/bin/ssh <normal params>

    The Debian version of tcpdump can't tell you what interface a packet came in on, so I guess that's a mod that Sophos made to it (and probably why -w doesn't work - something about the extra metadata), so you will lose that by doing the above. In my case I needed 24 hours of packets so this was the only way I could get it.

    Hope that helps someone.

    James

  • +1 in reply to jamesharper

    After a quick discussion with Sophos support, they gave me the following hint how it works even on XG Firewall: 

    # tcpdump -i Port4 -n host 8.8.8.8 -X -w /tmp/log.pcap -b

    The -b at the end is important and seems to be a Sophos-proprietary Parameter. -b in Manpage means "Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation." what definitely has nothing to do with our -b in Sophos's world...

  • 0 in reply to HuberChristian 
    Looks like this does not work in SFOS 17.0.6 MR-6 

    tcpdump -i Port4 -n host 8.8.8.8 -X -w /tmp/log.pcap -b
    Error Unknown Parameter 'Port4'

    Is there a way to capture and export/retrieve the file in 17?

    Thanks

    Tim

  • +1 in reply to Tim Kamps

    Hi,

     

    you need first to check your interface name convention.

    ifconfig

    Maybe your Port is called PortA or Port4 or PortA4 ?

    (we are talking about the Advanced Shell - 5 - 3, not console!)

     

    So you use:

    tcpdump -ni Port4 host  8.8.8.8 -b -s0 -w /tmp/log/pcap

     

    After you have done you work, you can copy your files via SCP:

    https://community.sophos.com/kb/en-us/127647

     

    Cheers

  • 0 in reply to Tim Kamps

    You need to do this in the advanced shell (Option 5, Option 3 from the login menu).

    The "Device Console" shell includes some sort of cut down tcpdump.

    James

  • 0 in reply to jamesharper

    I'm so glad I found this today. Two things have been driving me nuts. Trying to create a .pcap file and getting it to over to my workstation. 

     

    You can get this working in the "Device Console" not sure why you'd want to use the Device Console as it is limited. 

    You just need to preface the first parameter with ' 

    console> tcpdump '-v -w /tmp/data/console.pcap -b

  • 0 in reply to David Coombe

    Hi SOPHOS!!!!

     

    ARE YOU SLEEPING!!!!!!!!!!!

     

     

    add this to regular documentation, please!!!!

  • 0 in reply to Jiri Hadamek

    Hi Jiri,

    The discussed steps are already documented in the following KB article, https://community.sophos.com/kb/en-us/127647

    If you have additional information to add please, send it to me via DM. Alongside, you can also provide us KBA suggestions by going to the following link: https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions

    Thanks,

Reply Children
No Data