g_tcpdump will certainly work, but should be used with caution on a busy Maestro security group; use asg perf -vp run from any SGM to see how utilized the security group is. Below is a screenshot from my Gateway Performance Optimization Course showing this great command.
Another alternative if under high load is using the asg search command to identify which specific SGM is handling all the packets of the connection you want to capture, then logging into that SGM and running a local tcpdump from expert mode locally. For subsequent connections with the same attributes (sIP, dIP, and possibly dPort if L4 is enabled), the same SGM will always handle that same connection unless the number of active SGMs changes or the distribution algorithm is changed. However if the connection is NATted you may not always get a complete capture with this latter technique, depending upon how the pre-NAT and post-NAT flows are distributed in the security group.
Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm