[Expert@C3600:0]# fw monitor -e "(src=110.33.133.135 , dst=110.145.148.166), accept;" PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable PPAK 0: Get before set operation succeeded of simple_debug_filter_off PPAK 0: Get before set operation succeeded of kiss_debug_force_kdprintf_enable PPAK 0: Get before set operation succeeded of fwmonitorfreebufs ************************************************************** NOTE ************************************************************** *** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter *** ************************************************************************************************************************************ FW monitor will record only ip & transport layers in a packet For capturing the whole packet please do -w PPAK 0: Get before set operation succeeded of fwmonitor_ppak_all_position monitor: getting filter (from command line) monitor: compiling monitorfilter: Compiled OK. monitor: loading monitor: monitoring (control-C to stop) PPAK 0: Get before set operation succeeded of fwmonitormaxpacket PPAK 0: Get before set operation succeeded of fwmonitormask PPAK 0: Get before set operation succeeded of fwmonitorallocbufs PPAK 0: Get before set operation succeeded of printuuid [vs_0][fw_2] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11807 TCP: 41128 -> 8080 .S.... seq=df4d1fb4 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11808 TCP: 41129 -> 8080 .S.... seq=18639712 ack=00000000 [vs_0][fw_2] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11809 TCP: 10832 -> 8080 .S.... seq=259cc0d7 ack=00000000 [vs_0][fw_2] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11810 TCP: 41128 -> 8080 .S.... seq=df4d1fb4 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11811 TCP: 41129 -> 8080 .S.... seq=18639712 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11812 TCP: 10832 -> 8080 .S.... seq=259cc0d7 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11814 TCP: 41128 -> 8080 .S.... seq=df4d1fb4 ack=00000000 [vs_0][fw_1] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11813 TCP: 41129 -> 8080 .S.... seq=18639712 ack=00000000 [vs_0][fw_1] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11815 TCP: 10832 -> 8080 .S.... seq=259cc0d7 ack=00000000 [vs_0][fw_2] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11817 TCP: 41128 -> 8080 .S.... seq=df4d1fb4 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11816 TCP: 41129 -> 8080 .S.... seq=18639712 ack=00000000 [vs_0][fw_2] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11818 TCP: 10832 -> 8080 .S.... seq=259cc0d7 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11819 TCP: 41128 -> 8080 .S.... seq=df4d1fb4 ack=00000000 [vs_0][fw_1] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11820 TCP: 41129 -> 8080 .S.... seq=18639712 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11821 TCP: 10832 -> 8080 .S.... seq=259cc0d7 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11822 TCP: 41154 -> 8080 .S.... seq=ee062b29 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11823 TCP: 53818 -> 8080 .S.... seq=dfc8c0f4 ack=00000000 [vs_0][fw_1] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11824 TCP: 41154 -> 8080 .S.... seq=ee062b29 ack=00000000 [vs_0][fw_1] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11825 TCP: 53818 -> 8080 .S.... seq=dfc8c0f4 ack=00000000 [vs_0][fw_0] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11826 TCP: 41154 -> 8080 .S.... seq=ee062b29 ack=00000000 [vs_0][fw_2] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11827 TCP: 53818 -> 8080 .S.... seq=dfc8c0f4 ack=00000000 [vs_0][fw_2] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11828 TCP: 41154 -> 8080 .S.... seq=ee062b29 ack=00000000 [vs_0][fw_1] eth4:i[44]: 110.33.133.135 -> 110.145.148.166 (TCP) len=52 id=11829 TCP: 53818 -> 8080 .S.... seq=dfc8c0f4 ack=00000000 ^C monitor: caught sig 2 monitor: unloading PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable PPAK 0: Get before set operation succeeded of simple_debug_filter_off PPAK 0: Get before set operation succeeded of kiss_debug_force_kdprintf_enable PPAK 0: Get before set operation succeeded of fwmonitorfreebufs [Expert@C3600:0]# fw ctl zdebug drop | grep 110.33.133.135 @;1572347919;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 110.33.133.135:41154 -> 110.145.148.166:8080 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 31; @;1572347969;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 110.33.133.135:53818 -> 110.145.148.166:8080 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 31; ^C