For error analysis it is often necessary to record data traffic on an interface. On a LANCOM R&S®Unified Firewall this can be done on the CLI via the command tcpdump.

This article describes how a trace can be recorded on a Unified Firewall via tcpdump and exported as a Wireshark trace file.



1) Creating the tcpdump on the Unified Firewall:

1.1) Connect to the Unified Firewall with an SSH client and login with the user gpadmin.

1.2) Enter the command sudo -i to gain root permissions and acknowledge the password prompt by entering the password for the user gpadmin.  

1.3) Enter the command tcpdump in the following syntax:

tcpdump -nvli <interface> -w <save path of the Wireshark file on the Unified Firewall>

For the interface eth2 the command is as follows:

tcpdump -nvli eth2 -w /tmp/trace.pcap

The tcpdump can be terminated with the key combination <STRG> + <C>.

The parameter -w ensures that the tcpdump is saved as a file.

The Wireshark trace can be filtered via the parameters host <IP address> and port <port number> to a specific IP address or a specific port. These parameters can also be combined with an and (host <IP address> and port <port number>).

2) Transfering the Wireshark file:

To analyze the Wireshark trace it must first be downloaded from the Unified Firewall to a PC. This can be done via SCP.

2.1) Open the Windows command line and navigate to the folder where the Wireshark file is to be saved.

2.2) Enter the command for the file transfer in the following syntax and acknowledge the password prompt by entering the password for the user gpadmin:

scp gpadmin@<IP address of the Unified Firewall>:<File path of the Wireshark file on the Unified Firewall> <New file name>

In this example the command is as follows:

scp gpadmin@ trace.pcap

If you haven't already established an SCP connection, the ECDSA Key has to be added to the list of known members (known hosts). To do this acknowledge the prompt Are you sure you want to continue connecting? by typing yes.