Hey  PhoneBoy,

thanks for your help! Unfortunately, this didn't show different results.

I have used the equivalent syntax on R80.40 as I did on R80.10 and still didn't capture the HTTP messages. I also disabled SecureXL beforehand on R80.40.

When using the -e Flag on R80.40 it actually says in the output: 

*** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter ***

I was able to start the capture but again only saw 3-Way HS & PSH,ACKs on R80.40 while on R80.10 I was able to capture the http packets.

I also read the SK, thanks for sharing it. What I gathered from it, is, that since R80.40, Accelerated Traffic will be captured by default and the "-F" flag can be used for that.

• In R80.40, Default behavior will be to monitor all traffic.
• Since R80.20 Jumbo take 73, using the "-e" flag will not filter accelerated traffic (all accelerated traffic will be monitored). To Filter accelerated traffic use the "-F" flag (exists from Jumbo take 73)
• Since R80.20 Jumbo take 117, using the "-e" flag will filter out all accelerated traffic. To filter and monitor Accelerated traffic use "-F" (exists from Jumbo take 73)

From the R80.40 Admin Guide: 
"-F" - Specifies the capture filter (for both accelerated and non-accelerated traffic)

The more I read about it, the more I am convinced that it is not working as intended or I am doing some major mistakes..

Summary of capture Filters I have used so far on R80.40:

• fw monitor
  • -F "172.16.10.150,0,192.168.1.100,80" -F "192.168.1.100,80,67.83.0.1,0"
  • -F "0,0,0,0,0" <- Capture everything
  • -F "172.16.10.150,0,192.168.1.100,0" -F "192.168.1.100,0,67.83.0.1,0" <- Capture all traffic between 2 hosts
  • -e "accept (src=172.16.10.150 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1) or (src=67.83.0.1 and dst=192.168.1.100);"
  • -e "accept;" <- Capture everything

I really like the idea of capturing accelerated traffic without the need to disable SecureXL on the whole system. I will test this with other protocols aswell and report back my findings 🙂

I suspect even after disabling SecureXL, traffic is being accelerated: sk162492. In essense, you cannot disable SXL in R8020 and above completely. 

What to do to make sure no accelerated traffic is passing?

• Disable acceleration on both cluster members
• Fail over
• Run traces on the new active member

Good Morning Val!

Sorry, I might not have expressed my issue correctly. It's not that accelerated traffic isn't passing, it works fine. The issue is, that I am not able to capture it (No HTTP/Get & OK packets) with the -F filter. So I just tested it with the -e Flag as PhoneBoy suggested.

I will do a Fail over later and report back!

You can replace -e "accept (src=172.16.10.150 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1) (src=67.83.0.1 and dst=192.168.1.100);" with this:

-e "accept (host(192.168.1.100) AND host(172.16.10.150)) OR (host(192.168.1.100) AND host(67.83.0.1))

Hey Maarten,

thanks for that. Great way to simplify it and much easier to read! Thanks alot 🙂

You can replace -e "accept (host(192.168.1.100) AND host(172.16.10.150)) OR (host(192.168.1.100) AND host(67.83.0.1));" with this:

-e "accept host(192.168.1.100) and (host(172.16.10.150) or host(67.83.0.1));"

I found the issue...😅

I had to use the "-w" flag aswell in order to capture the GET & OK packets. I tried it with ftp aswell and when not using the "-w" flag, these packets are not captured. Weird hmmm..

so syntax would be: fw monitor -w -F etc.

But at least it works now 🙂 

Thanks for your help!