Sophos UTM v9 comes with the tcpdump utility, which lets you run packet captures from the shell. This is great and all, but in order to look at those pcaps with Wireshark, you need to pipe to a file, copy the file, then run Wireshark against it. Annoying. All of it.
We have a Sophos UTM in use and have STAS installed on both domain controllers and configured accordingly on the Sophos. However, the web filter shows when the clients are surfing only user=' So the user data is not entered, so the users are not authenticated. Known to apply to the following Sophos product(s) and version(s) Sophos UTM What To Do. To check your IPv6 setup via ping you have to use the ping6 command: ping6 ipv6.google.com (one of the hosts which work on IPv6). To trace the traffic via tcpdump use: tcpdump -nv -i eth1 proto 58 (58 is the protocol number for ICMP IPv6) Example output.
What if we could remotely capture packets over an SSH tunnel? YES… turns out it’s a bit tricky if you’re on Windows, and the authentication piece to get root access without having to do the loginuser first. How? Keep reading…
First, the necessary ingredients:
- Sophos UTM
- Wireshark (or your favorite pcap application)
- Putty suite (specifically Plink and PuttyGen)
![Utm Utm](/uploads/1/1/9/8/119877091/854492793.jpg)
To start, we’ll need to enable Shell Access, with public key authentication, and with Root access but only with SSH key.
We need to use PuttyGen to generate the key pair we’ll use for root authentication, so open it, Generate the key, then copy the Public Key into the Authorized Keys for root in the UTM, apply and save… and also Save private key to somewhere you’ll remember. We’ll need this for Plink.
There’s our new key…
Then run the actual magic using Plink. Take the following command as an example:
plink -ssh [email protected] -i C:ssh-priv.ppk “tcpdump -s 0 -U -n -w – not port 22 and not host 192.168.0.1” | “C:Program FilesWiresharkWireshark.exe” -k -i –
Replace the SSH connection string for your actual firewall FQDN, the filename of ssh-priv.ppk for the location of your saved Private Key generated with PuttyGen, and the not host 192.168.0.1 with the IP address of the firewall from the interface you’re reaching it.
Sophos Utm Tcpdump Interface
![Sophos Utm Tcpdump Sophos Utm Tcpdump](/uploads/1/1/9/8/119877091/287815232.jpg)
Wireshark will open and start showing packets. You can smile and jump now.
Sophos Utm Cli Tcpdump
You can modify the tcpdump parameters to better match the capture, for example, using -i eth1 to capture a specific interface, or filter specific traffic… once you’re done, just close Wireshark and CTRL+C the command.
Note, if you’re doing this capture remotely over WAN or Internet, it will tunnel ALL packets over SSH, so it will take up a lot of bandwidth…
Have fun!!!