Solved: fw monitor in R80.20 VSX giving the output "Segmen...

Ravindra_Katrag · ‎2019-10-30

Hi

I have recently upgraded my R77.30 VSX gateways to R80.20

Now I am trying to do a Packet Capture on a Certain VS (VSID 4) in the VSX and I am using the Command fw monitor -v 4 -m iO -e "accept host(192.168.1.1);"

When I am using the above command I am getting the error Segmentation fault (core dumped). when I remove the "-v" argument and try the fw monitor in any other way it's doing a complete capture for all the traffic going.

I am running R80.20 in a 15400 VSX with HFA 103.

Any help to fix this is much appreciated.

Thanks

--Ravi

Timothy_Hall · ‎2019-10-30

From sk30583:

Note: From version R80.20 Jumbo Jotfix Accumulator take_73, the "-e" flag is not supported for Accelerated traffic.

I noticed this today running a R80.20 CCVS/VSX class, if the traffic is accelerated the -e filter is ignored and you simply see everything. This is fixed in R80.20 Ongoing Take 117:

PRJ-5507, PMTR-41300 Security Gateway In some scenarios, when running "fw monitor" with "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed.

In the meantime you need to use the new simple filter via -F which works correctly:

fw monitor -F "x.x.x.x,0,y.y.y.y,0,0"

This will filter connection "x.x.x.x:<Any> --> y.y.y.y:<Any>, <protocol: Any>"
Source ip: x.x.x.x, source port: any, destination ip: y.y.y.y, destination port: any, protocol: any

You can also use "*" as a wildcard like this:

fw monitor -F "192.168.1.*,0,10.1.1.*,0,0"

As far as fw monitor dumping core when trying to use the -v VSID flag we noticed that too in R80.20 with Jumbo HFA 103 applied. Definitely a bug...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

Timothy_Hall · ‎2019-10-30