Occasionally I will run into situations where the only way to definitively diagnose network related problems is to perform raw traffic dumps on a main internal / external interface.
The reasons for needing to perform this could be anything. I thought I’d share the quick and easy steps to perform in order to do a quick network traffic capture.
Be warned though, that it is easy to overflow the console buffer and subsequently crash your firewall if you don’t narrow the scope of your capture enough.
To view the current snoop settings :
To monitor all traffic from a particular ip address going to a particular port :
To monitor all traffic on the network going to a particular ip address :
The above commands only SET the filter. You have to turn the filter on and monitor the buffer to actually view the results. Note that you should ensure that the scope of your filters are quite narrow as there is the risk of overflowing the console buffer and crashing the firewall if you are monitoring a wide scope.
To view the filters and turn on snoop :
get dbuf stream
Dont forget to clear the filters , dbuf stream and turn off snoop when your done :
snoop filter delete