I use Packet Capture in Sophos Firewall WebAdmin every week. It is the quickest way to see what the firewall actually sees. This guide shows how I capture traffic on the appliance, download a PCAP and analyse it in Wireshark for network troubleshooting and security monitoring. I keep examples concrete so you can copy the filters and checks straight away.
Start in WebAdmin, open Diagnostics, then Packet capture. Pick the interface that sees the traffic, for example WAN for internet-facing issues or LAN for internal flows. Set a capture filter in BPF syntax so the file stays small. Useful filters: host 203.0.113.5 and tcp port 443, src host 192.0.2.50, or net 10.0.0.0/24. Keep the packet limit low for intermittent faults — I use 10000 packets for quick tests. Hit Start, reproduce the problem, then Stop and Download the PCAP. Remember the firewall records packets at the firewall level. NAT alters addresses and ports, so note the translation when you analyse the capture.
Open the PCAP in Wireshark. Start by applying display filters to narrow the view. Display filters differ from capture filters. Examples I use constantly: ip.addr == 192.0.2.50, tcp.port == 443, icmp, and ssl or tls for encrypted sessions. To find retransmits and basic TCP trouble use tcp.analysis.retransmission or tcp.analysis.fast_retransmission. To spot connection attempts use tcp.flags.syn == 1 && tcp.flags.ack == 0. Right-click a packet and choose Follow → TCP Stream to see the full conversation reconstructed. That instantly shows whether a client gets a reply, gets a RST, or stalls. Use Statistics → Endpoints to list top talkers and Statistics → IO Graphs to visualise spikes. Turn on name resolution if you prefer hostnames, but only for small captures; name resolution can slow analysis on large files.
Use packet flags and timings to diagnose firewall rules or network faults. If a client sends SYNs and never receives SYN/ACK, the default suspects are a blocked return path, NAT mismatch, or the remote server refusing connections. If the firewall blocks actively you may see TCP RSTs with the firewall’s IP or ICMP unreachable messages. For example, client 192.0.2.50 sends SYN to 198.51.100.20 and the capture shows an ICMP port unreachable from 198.51.100.20; that points at the remote host rejecting the port, not a local rule. If instead the capture shows the SYN leaving the firewall but no traffic returning to the firewall’s WAN IP, the return path is broken or being filtered upstream. Capture on both sides when possible to confirm where packets stop. Compare timestamps to calculate round-trip time and spot asymmetric routing.
HTTPS and other encrypted traffic need special handling. You cannot read TLS payloads from a PCAP without keys. For deep HTTPS inspection you must have the server private key for RSA key exchanges, or collect session keys from a browser using SSLKEYLOGFILE for modern ciphers. Handle those keys with care; PCAPs and keys contain sensitive data. Filter out unrelated traffic before sharing captures. Use colour rules and custom columns (Source, Destination, Protocol, Info, Time delta) to speed up pattern spotting. Save commonly used display filters and a short checklist of flags to inspect: SYN behaviour, retransmits, RSTs, ICMP errors, and payload size.
Small practical rules that save time: start with a tight capture filter, capture on the correct interface, use Follow TCP Stream for the conversation view, check tcp.analysis.* filters, and remember NAT changes. Rotate captures with a packet or time limit to avoid huge files. Treat PCAPs as sensitive evidence when doing security monitoring; redact or store them securely. Do the troubleshooting steps in this order and you will find whether the problem is the client, the firewall rules, NAT, or the remote host.
