Hello everyone,
I am currently trying to get a better understanding on how "fw monitor" works and how to use it. For that, I am currently comparing output from R80.10 and R80.40(take_67) in my Lab.
I am capturing http traffic from Host A to Webserver B . My topology looks like this:
Webserver B ---- FW R80.10 ---- FW R80.40 ---- Host A
Webserver B IP: 192.168.1.100
Host A: 172.16.10.150 - NAT to 67.83.0.1(FW R80.40)
I am capturing the traffic from Host A to Webserver B in both directions on both Gateways.
On R80.10 I disabled SecureXL to capture accelerated packets aswell and on R80.40 I am using the -F flag to capture accelerated and non accelerated traffic.
It works to a certain point, but I am running into an issue which I haven't found a solution for so far.
I can see the 3-way handshake in both captures, on R80.10 I see the HTTP/Get & OK but on R80.40 it is not beeing captured...
These are the filters I am using:
R80.10:
fwaccell off
fw monitor -e "accept (src=67.83.0.1 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1);" -o fwmonR8010AccCap.pcap
R80.40:
fw monitor -F "172.16.10.150,0,192.168.1.100,80" -F "192.168.1.100,80,67.83.0.1,0" -o fwmonR8040AccCap.pcap
Can you tell me what I am doing wrong or missing here?
Thank you very much!!
greeting,
con
