https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189784#M34970 <P>Hi mates,</P><P>&nbsp;</P><P>When we run tcpdump / cppcap on VSX gateway, we are able to see only ARP request and reply packets. Normally thorugh vsx the whole traffic is going through. in this case when we specify the interface on tcpdump syntax, still we see only arp packets. Anyone has idea?</P> Thu, 17 Aug 2023 15:01:30 GMT starmen2000 2023-08-17T15:01:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189784#M34970 <P>Hi mates,</P><P>&nbsp;</P><P>When we run tcpdump / cppcap on VSX gateway, we are able to see only ARP request and reply packets. Normally thorugh vsx the whole traffic is going through. in this case when we specify the interface on tcpdump syntax, still we see only arp packets. Anyone has idea?</P> Thu, 17 Aug 2023 15:01:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189784#M34970 starmen2000 2023-08-17T15:01:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189785#M34971 <P>What version/JHF?<BR />What precise syntax are you using?<BR />Can you see the traffic with fw monitor or through other means?</P> Thu, 17 Aug 2023 15:10:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189785#M34971 PhoneBoy 2023-08-17T15:10:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189786#M34972 <P>R81 / Take 68<BR /><BR />tcpdump -nni any&nbsp;</P><P><SPAN>tcpdump -nni bond2.776 and host x.y.z.t</SPAN></P><P>&nbsp;</P><P><SPAN>With fw monitor I can not see the traffic if I specify destination IP</SPAN></P> Thu, 17 Aug 2023 15:14:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189786#M34972 starmen2000 2023-08-17T15:14:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189799#M34977 <P>This is a quote from my <A href="http://www.maxpowerfirewalls.com/max-capture-course.html" target="_blank" rel="noopener">Max Capture: Know Your Packets</A> self-guided video series:</P> <P>If trying to capture traffic on a Wrp interface in a VSX environment, or on vSEC for NSX-V, <STRONG>fw monitor</STRONG> must be used to<BR />ensure a complete capture. See s<A href="https://support.checkpoint.com/results/sk/sk167462" target="_blank" rel="noopener">k167462: Tcpdump / CPpcap do not show incoming packets on Virtual Switch's Wrp</A><BR /><A href="https://support.checkpoint.com/results/sk/sk167462" target="_blank" rel="noopener">interface</A> and <A href="https://support.checkpoint.com/results/sk/sk116796" target="_blank" rel="noopener">sk116796: ' tcpdump ' utility does not capture the specified traffic on vSEC for NSX / vSEC Virtual Edition</A><BR /><A href="https://support.checkpoint.com/results/sk/sk116796" target="_blank" rel="noopener">Hypervisor Mode</A>.</P> Thu, 17 Aug 2023 16:53:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Tcpdump-Problem/m-p/189799#M34977 Timothy_Hall 2023-08-17T16:53:10Z