Create a Post
Showing results for 
Search instead for 
Did you mean: 

R80.40, fw monitor -F not capturing HTTP/Get & OK ?

Hello everyone,

I am currently trying to get a better understanding on how "fw monitor" works and how to use it. For that, I am currently comparing output from R80.10 and R80.40(take_67) in my Lab.

I am capturing http traffic from Host A to Webserver B . My topology looks like this:

Webserver B ---- FW R80.10  ---- FW R80.40 ---- Host A

Webserver B IP:

Host A: - NAT to R80.40)

I am capturing the traffic from Host A to Webserver B in both directions on both Gateways.

On R80.10 I disabled SecureXL to capture accelerated packets aswell and on R80.40 I am using the -F flag to capture accelerated and non accelerated traffic.

It works to a certain point, but I am running into an issue which I haven't found a solution for  so far.

I can see the 3-way handshake in both captures, on R80.10 I see the HTTP/Get & OK but on R80.40 it is not beeing captured...

These are the filters I am using:


fwaccell off

fw monitor -e "accept (src= and dst= or (src= and dst=;" -o fwmonR8010AccCap.pcap



fw monitor -F ",0,,80" -F ",80,,0" -o fwmonR8040AccCap.pcap
Can you tell me what I am doing wrong or missing here?
Thank you very much!!


0 Kudos
8 Replies

Pretty sure you use the same syntax that you used in R80.10 on R80.40.
However, will admit the SK isn’t that clear on this.


0 Kudos

Hey  PhoneBoy,

thanks for your help! Unfortunately, this didn't show different results.

I have used the equivalent syntax on R80.40 as I did on R80.10 and still didn't capture the HTTP messages. I also disabled SecureXL beforehand on R80.40.

When using the -e Flag on R80.40 it actually says in the output: 

*** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter ***

I was able to start the capture but again only saw 3-Way HS & PSH,ACKs on R80.40 while on R80.10 I was able to capture the http packets.


I also read the SK, thanks for sharing it. What I gathered from it, is, that since R80.40, Accelerated Traffic will be captured by default and the "-F" flag can be used for that.

  • In R80.40, Default behavior will be to monitor all traffic.
  • Since R80.20 Jumbo take 73, using the "-e" flag will not filter accelerated traffic (all accelerated traffic will be monitored). To Filter accelerated traffic use the "-F" flag (exists from Jumbo take 73)
  • Since R80.20 Jumbo take 117, using the "-e" flag will filter out all accelerated traffic. To filter and monitor Accelerated traffic use "-F" (exists from Jumbo take 73)

From the R80.40 Admin Guide: 
"-F" - Specifies the capture filter (for both accelerated and non-accelerated traffic)


The more I read about it, the more I am convinced that it is not working as intended or I am doing some major mistakes..

Summary of capture Filters I have used so far on R80.40:

  • fw monitor
    • -F ",0,,80" -F ",80,,0"
    • -F "0,0,0,0,0" <- Capture everything
    • -F ",0,,0" -F ",0,,0" <- Capture all traffic between 2 hosts
    • -e "accept (src= and dst= or (src= and dst= or (src= and dst=;"
    • -e "accept;" <- Capture everything

I really like the idea of capturing accelerated traffic without the need to disable SecureXL on the whole system. I will test this with other protocols aswell and report back my findings 🙂






0 Kudos

I suspect even after disabling SecureXL, traffic is being accelerated: sk162492. In essense, you cannot disable SXL in R8020 and above completely. 

What to do to make sure no accelerated traffic is passing?

  • Disable acceleration on both cluster members
  • Fail over
  • Run traces on the new active member
0 Kudos

Good Morning Val!

Sorry, I might not have expressed my issue correctly. It's not that accelerated traffic isn't passing, it works fine. The issue is, that I am not able to capture it (No HTTP/Get & OK packets) with the -F filter. So I just tested it with the -e Flag as PhoneBoy suggested.

I will do a Fail over later and report back!

0 Kudos

You can replace -e "accept (src= and dst= or (src= and dst= (src= and dst=;" with this:

-e "accept (host( AND host( OR (host( AND host(

Regards, Maarten
0 Kudos

Hey Maarten,

thanks for that. Great way to simplify it and much easier to read! Thanks alot 🙂


0 Kudos

You can replace -e "accept (host( AND host( OR (host( AND host(;" with this:

-e "accept host( and (host( or host(;"


I found the issue...😅

I had to use the "-w" flag aswell in order to capture the GET & OK packets. I tried it with ftp aswell and when not using the "-w" flag, these packets are not captured. Weird hmmm..

so syntax would be: fw monitor -w -F etc.

But at least it works now 🙂 


When using -o/ -x flag, there is an option to print whole raw data of packet.

Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.


Thanks for your help!