Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

fw monitor in R80.20 VSX giving the output "Segmentation fault (core dumped)"

Jump to solution

Hi

 

I have recently upgraded my R77.30 VSX gateways to R80.20

Now I am trying to do a Packet Capture on a Certain VS (VSID 4) in the VSX and I am using the Command fw monitor -v 4 -m iO -e "accept host(192.168.1.1);"

When I am using the above command I am getting the error Segmentation fault (core dumped). when I remove the    "-v"   argument and try the fw monitor in any other way it's doing a complete capture for all the traffic going.

 

I am running R80.20 in a 15400 VSX with HFA 103. 

Any help to fix this is much appreciated.

 

Thanks

--Ravi

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Champion
Champion

From sk30583:

Note: From version R80.20 Jumbo Jotfix Accumulator take_73, the "-e" flag is not supported for Accelerated traffic.

I noticed this today running a R80.20 CCVS/VSX class, if the traffic is accelerated the -e filter is ignored and you simply see everything.  This is fixed in R80.20 Ongoing Take 117:

PRJ-5507, PMTR-41300 Security Gateway In some scenarios, when running "fw monitor" with "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed.

In the meantime you need to use the new simple filter via -F which works correctly:

fw monitor -F "x.x.x.x,0,y.y.y.y,0,0"

This will filter connection "x.x.x.x:<Any> --> y.y.y.y:<Any>, <protocol: Any>"
Source ip: x.x.x.x, source port: any, destination ip: y.y.y.y, destination port: any, protocol: any

 

You can also use "*" as a wildcard like this:

fw monitor -F "192.168.1.*,0,10.1.1.*,0,0"

As far as fw monitor dumping core when trying to use the -v VSID flag we noticed that too in R80.20 with Jumbo HFA 103 applied.  Definitely a bug...

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com

View solution in original post

2 Replies
Highlighted
Champion
Champion

From sk30583:

Note: From version R80.20 Jumbo Jotfix Accumulator take_73, the "-e" flag is not supported for Accelerated traffic.

I noticed this today running a R80.20 CCVS/VSX class, if the traffic is accelerated the -e filter is ignored and you simply see everything.  This is fixed in R80.20 Ongoing Take 117:

PRJ-5507, PMTR-41300 Security Gateway In some scenarios, when running "fw monitor" with "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed.

In the meantime you need to use the new simple filter via -F which works correctly:

fw monitor -F "x.x.x.x,0,y.y.y.y,0,0"

This will filter connection "x.x.x.x:<Any> --> y.y.y.y:<Any>, <protocol: Any>"
Source ip: x.x.x.x, source port: any, destination ip: y.y.y.y, destination port: any, protocol: any

 

You can also use "*" as a wildcard like this:

fw monitor -F "192.168.1.*,0,10.1.1.*,0,0"

As far as fw monitor dumping core when trying to use the -v VSID flag we noticed that too in R80.20 with Jumbo HFA 103 applied.  Definitely a bug...

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com

View solution in original post

Highlighted
Contributor

Thank you this New command with the argument "-F" worked.

But is there a way to do a packet capture on specific VS in VSX?

0 Kudos