Summary
TCPdump is a very useful tool for troubleshooting. It can be used to see the inbound and outbound traffic for a specific port, IP address or interface.
Problem
TCPdump can be used to identify whether traffic is entering and leaving the Smoothwall on the correct interfaces.
Solution
Connecting to the command line
To use TCPdump, you need to connect to the command line using an SSH client, such as PuTTY. In PuTTY, connect to the Smoothwall’s IP address on port 222.
Using TCPdump
The first information needed is the name of the interface that you want to do a TCPdump on. To do this, run the following command:
ip address show
This will list a number interfaces and the IP addresses assigned. Most of the time, it will be the ‘ethX’ interfaces that will be of interest.
You can do generic TCPdumps, to see if there is traffic from a certain IP to an interface. This is useful to check that routing is working. The ‘-nqi’ attributes will be used to stop DNS resolution (-n), enable ‘quiet mode’ for less protocol information (-q), and to select an interface (-i). An example of the command:
tcpdump -nqi ethX host *IP address*
eg: tcpdump -nqi ethB host 172.16.0.100
This command will show you all traffic on ethB, where the traffic is coming from or going to 172.16.0.100. However, this will display a large amount of traffic in most cases, so you can narrow this down to a port by running the following command:
tcpdump -nqi ethX host *IP address* and port *port number*
eg: tcpdump -nqi ethB host 172.16.0.100 and port 3389
This command will only show you traffic where the incoming or outgoing port was 3389.
You can have multiple TCPdumps running at the same time, by having multiple connections to the Smoothwall. This is useful if you are trying to track a packet through a multi-interface solution.
Saving a packet capture
Packet captures can be saved so that they can be shared, or viewed at a later date.
The command is similar to the previous ones, but there are some changes:
The ‘-nqi’ is changed to ‘-i' so that the non human-readable version is recorded.
“-s 0” is added to the end of the command, so the whole packet is captured and recorded, otherwise the default is to truncate at 68bytes.
‘-w /root/packetcapture.pcap’ is added so that the file is saved. The folder path can be changed as required, but the example command will work too.
The command would look like this:
tcpdump -i ethX host *IP address* and port *port number* -s 0 -w /root/packetcapture.pcap
eg: tcpdump -i ethB host 172.16.0.100 and port 3389 -s 0 -w /root/packetcapture.pcap
Retrieving the file from Smoothwall
The easiest way to retrieve a file is to upload it from the command line using curl, and then download it to whatever device you want to view it on using transfer.sh.
The command for this would look like this:
curl --upload-file ./packetcapture.pcap https://transfer.sh/packetcapture.pcap
Once the upload is finished, a link will be generated, where you will be able to access the file. For example:
https://transfer.sh/fDek5/packetcapture.pcap
This article only covers a small portion of what TCPdump can be used for, and there are plenty more options and attributes. For more information, search for ‘tcpdump man page’ on the internet.