Hello everyone,

I am currently trying to get a better understanding on how "fw monitor" works and how to use it. For that, I am currently comparing output from R80.10 and R80.40(take_67) in my Lab.

I am capturing http traffic from Host A to Webserver B . My topology looks like this:

Webserver B ---- FW R80.10  ---- FW R80.40 ---- Host A

Webserver B IP: 192.168.1.100

Host A: 172.16.10.150 - NAT to 67.83.0.1(FW R80.40)

I am capturing the traffic from Host A to Webserver B in both directions on both Gateways.

On R80.10 I disabled SecureXL to capture accelerated packets aswell and on R80.40 I am using the -F flag to capture accelerated and non accelerated traffic.

It works to a certain point, but I am running into an issue which I haven't found a solution for  so far.

I can see the 3-way handshake in both captures, on R80.10 I see the HTTP/Get & OK but on R80.40 it is not beeing captured...

These are the filters I am using:

R80.10:

fwaccell off

fw monitor -e "accept (src=67.83.0.1 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1);" -o fwmonR8010AccCap.pcap

R80.40: