Linux
fortigate
check point
Cisco ASA
The menu on the left will take you to different modules where you can build packet capture syntax to run on network devices. Some modules also have a flow debug feature which will help you build debugs to run on certain devices. There will be more features added as time goes on so make sure you check the .plan section as well as the development site to see what's coming up.
If you would like in-depth instructions on how to use this tool, visit the Help section for a detailed explanation on all the features.
New! Once your syntax is built and you're ready to copy it, put your mouse over the completed syntax at the top and click anywhere in the bar. The command is now copied and you're ready to paste it to be run.
New! Modules and all their syntax options now have full contextual help. Hover your mouse over the help icon to get a tooltip explaining what the syntax does.
New! Syntax items which require user input now have colour-coded feedback! If you enter information which is valid, a check mark icon will appear and the item will turn green as will the flashes at the top bar. Should the information you've entered seem suspect, a warning icon will appear and the item will turn yellow as will the flashes at the top bar. If the information is invalid or missing, the item will turn red.
Some modules have additional information which will be presented to you to help facilitate your commands. Regardless of the module, it is your responsibility to have the understanding of commands that you are running. Although it is not likely to happen, running commands incorrectly can cause issues with devices up to, including and not limited to: device slow downs and device outages. You are solely responsible for the actions you take and the commands you run!
Feedback is always welcomed. Feel free to contact me on Twitter (@Grave_Rose) or visit the subreddit at https://www.reddit.com/r/tcpdump101
tcpdump
Command Syntax Options Use these options to set the command-line syntax options which will change how tcpdump works and displays output.
Capture Interface Specify the name of the interface you want to run tcpdump on.
Syntax: -i interface
You can also use 'any' (without the quotes) to capture on all interfaces at once.
Error: Interface not specified!
Syntax: -i interface
You can also use 'any' (without the quotes) to capture on all interfaces at once.
Error: Interface not specified!
PCap and Display Options Use this section to change what tcpdump will output.Click to Show/Hide
Link-Level Headers (MAC Addresses) Specify if tcpdump should print Link-Level headers or not.
Default: Link-Level headers will not be printed.
-e: Print Link-Level headers.
Default: Link-Level headers will not be printed.
-e: Print Link-Level headers.
Set Snaplength Specify how many bytes tcpdump should capture for each packet.
-s [0-65535]: Set the snaplength to this size. Setting to 0 will capture the entire packet.
Default snaplength set.
-s [0-65535]: Set the snaplength to this size. Setting to 0 will capture the entire packet.
Default snaplength set.
Set Count Specify how many packets tcpdump should caputre before stopping/exiting automatically.
-c [number]: Specify the [number] of packets to count.
No capture limit set.
-c [number]: Specify the [number] of packets to count.
No capture limit set.
Checksum Verification Specify if tcpdump should attempt to verify checksums or not.
Default: Checksums will attempt to be verified.-K: tcpdump will not attempt to verify checksums.
Default: Checksums will attempt to be verified.-K: tcpdump will not attempt to verify checksums.
Domain Name Printing Specify if tcpdump should print domain names.
Default: Domain names will be printed.
-N: Domain names will not be printed.
Default: Domain names will be printed.
-N: Domain names will not be printed.
Output and File Options Use this section to save your output to a file.Click to Show/Hide
Output Location Specify where tcpdump should send it's output.
Default: Output will be sent to STDOUT.
-w: Output will be saved to a file.
Display to screen Save to File
Default: Output will be sent to STDOUT.
-w: Output will be saved to a file.
Display to screen Save to File
Save Output to File Specify which file name to save to.
-w filename: Save the output to a file.
Error: No output file has been specified!
-w filename: Save the output to a file.
Error: No output file has been specified!
Split Output by File Size Specify whether or not to split files based on the size of the file. Leave empty to not split the output file by size.
-C file size to split on: Split the saved file based on file size.
File will not be split.
-C file size to split on: Split the saved file based on file size.
File will not be split.
Rotate Output File by Time Specify whether or not to rotate the output file by time (measured in seconds). Leave empty to not rotate the output file by time.
-G time in seconds: Rotate the output file based on time in seconds.
File will not be split.
-G time in seconds: Rotate the output file based on time in seconds.
File will not be split.
Limit Number of Output Files Specify whether or not to limit the number of output files created. Leave empty to not limit.
-W Number of files to limit to: Limit the number of output files.
File count output will not be limited.
-W Number of files to limit to: Limit the number of output files.
File count output will not be limited.
Information Only Options Use this section to have tcpdump provide you information. NOTE: Selecting any of these options will not run a PCap.Click to Show/Hide
PCap Filter Options
Filter Create your packet capture filter with these selectors. You can also negate the item by selecting the "not" option.
On any newly created filter option, you must specify the operand to use.
Operand:
On any newly created filter option, you must specify the operand to use.
Operand:
Layer-2
Layer-3
Layer-4
Other
Layer-3
Layer-4
Other
diagnose sniffer packet ' ' 1 0
Command Syntax Options Use these options to set the command-line syntax options which will change how diagnose sniffer packet works and displays output.
Capture Interface Specify the name of the interface you want to run diagnose sniffer packet on.
You can also use 'any' (without the quotes) to capture on all interfaces at once.
Error: Interface not specified!
You can also use 'any' (without the quotes) to capture on all interfaces at once.
Error: Interface not specified!
Verbosity Options Specify how verbose diagnose sniffer packet should be where 1 is the least and 6 is the most.
Set Count Specify how many packets tcpdump should caputre before stopping/exiting automatically.
[number]: Specify the [number] of packets to count.
No capture limit set.
[number]: Specify the [number] of packets to count.
No capture limit set.
PCap Filter Options
Filter Create your packet capture filter with these selectors. You can also negate the item by selecting the "not" option.
On any newly created filter option, you must specify the operand to use.
Operand:
On any newly created filter option, you must specify the operand to use.
Operand:
Layer-2
Layer-3
Layer-4
Other
Layer-3
Layer-4
Other
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow filter addr
diagnose debug flow filter saddr
diagnose debug flow filter daddr
diagnose debug flow filter proto
diagnose debug flow filter port
diagnose debug flow filter sport
diagnose debug flow filter dport
diagnose debug flow trace start
diagnose debug enable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow filter addr
diagnose debug flow filter saddr
diagnose debug flow filter daddr
diagnose debug flow filter proto
diagnose debug flow filter port
diagnose debug flow filter sport
diagnose debug flow filter dport
diagnose debug flow trace start
diagnose debug enable
Command Syntax Options Use these options to set how the FortiGate will run it's flow debug.
Show Function Name By enabling this feature, diagnose debug flow will print the function name of the packets which are matched.
Function name is set to: Disable
Function name is set to: Disable
Show iprope By enabling this feature, diagnose debug flow will print the iprope options of the packets which are matched.
iprope display is set to: Disable
iprope display is set to: Disable
Number of Trace Packets This option specifies how may packets will be matched during the debug. It is recommended to set this to a small number to avoid resource overhead and for ease of readability.
ERROR: No trace amount specified. Please add a value between 1-999.
ERROR: No trace amount specified. Please add a value between 1-999.
PCap Filter Options
Filter Specify your filters for the flow debugs. All of these are optional.
Warning: There is no error checking here!
Warning: There is no error checking here!
Layer-3 Addresses
Source or Destination
Source Only
Destination Only
Layer-3 Protocol
Layer-4 Ports
Source or Destination
Source Only
Destination Only
Warning: There is no error checking here!
Warning: There is no error checking here!
Layer-3 Addresses
Source or Destination
Source Only
Destination Only
Layer-3 Protocol
Layer-4 Ports
Source or Destination
Source Only
Destination Only
Keep in mind that these two versions are not compatible with each other so ensure you choose the correct version for the platform you are on.
R80.30
R80.20 (pre-JHF 73)
All previous versions 'New' -F version
R80.20 (JHF 73+)
fw monitor -e "accept ;"
Command Syntax Options Use these options to set the command-line syntax options which will change how diagnose sniffer packet works and displays output.
Specify VSX ID Specify the VSX ID you want to capture on. Leave blank for all.
VSX ID not specified.
VSX ID not specified.
Output to File Specify whether or not to save output to a file. Leave blank for standard output (display to screen).
Output to screen.
Output to screen.
Debug and Display Options Use this section to change output and debug options of fw monitor.Click to Show/Hide
Set Snaplength Specify how much of the packet fw monitor should capture.
[number]: Specify the [number] of bytes to capture.
Default snaplength set.
[number]: Specify the [number] of bytes to capture.
Default snaplength set.
Set Inbound Packet Count Specify how many inbound packets fw monitor should capture.
[number]: Specify the [number] of inbound packets to capture.
No capture limit set.
[number]: Specify the [number] of inbound packets to capture.
No capture limit set.
Set outbound Packet Count Specify how many outbound packets fw monitor should capture.
[number]: Specify the [number] of outbound packets to capture.
No capture limit set.
[number]: Specify the [number] of outbound packets to capture.
No capture limit set.
Chain Position Options Use this section to change the chain position options of fw monitor.Click to Show/Hide
FW Monitor Mask Position (pre-R80) Use this section to change which point(s) of inspection fw monitor will listen on.
PCap Filter Options
Filter Create your packet capture filter with these selectors. You can also negate the item by selecting the "not" option.
On any newly created filter option, you must specify the operand to use.
Operand:
On any newly created filter option, you must specify the operand to use.
Operand:
Layer-3
Layer-4
Other
Layer-4
Other
fw monitor -F "0,0,0,0,0"
Command Syntax Options Use these options to set the command-line syntax options which will change how diagnose sniffer packet works and displays output.
Specify VSX ID Specify the VSX ID you want to capture on. Leave blank for all.
VSX ID not specified.
VSX ID not specified.
Output to File Specify whether or not to save output to a file. Leave blank for standard output (display to screen).
Output to screen.
Output to screen.
Debug and Display Options Use this section to change output and debug options of fw monitor.Click to Show/Hide
Set Snaplength Specify how much of the packet fw monitor should capture.
[number]: Specify the [number] of bytes to capture.
Default snaplength set.
[number]: Specify the [number] of bytes to capture.
Default snaplength set.
Set Inbound Packet Count Specify how many inbound packets fw monitor should capture.
[number]: Specify the [number] of inbound packets to capture.
No capture limit set.
[number]: Specify the [number] of inbound packets to capture.
No capture limit set.
Set outbound Packet Count Specify how many outbound packets fw monitor should capture.
[number]: Specify the [number] of outbound packets to capture.
No capture limit set.
[number]: Specify the [number] of outbound packets to capture.
No capture limit set.
Chain Position Options Use this section to change the chain position options of fw monitor.Click to Show/Hide
FW Monitor Mask Position (R80.20 JHF73+) Use this section to change which point(s) of inspection fw monitor will listen on.
PCap Filter Options
Filter Create your packet capture filter with these selectors.
Destination L4 Port Specify a Layer-4 destination port between 0-65535 where '0' is all Layer-4 destination ports.
cppcap -f " "
Command Syntax Options Use these options to set the command-line syntax options which will change how diagnose sniffer packet works and displays output.
Specify Interface Specify which interfaces you want to capture on. You can select all interfaces (default), only on one interface (-i interface) or on all except one interface (-I interface).
Capturing on all interfaces.
Capturing on all interfaces.
Specify VSX ID Specify which VSX instance you want to capture on. You can select all VSX instances (default), only on one VSX instance (-v id) or on all except one instance (-V id).
Capturing on all VSX instances.
Capturing on all VSX instances.
Output to File Specify whether or not to save output to a file. Leave blank for standard output (display to screen).
Output to screen.
Output to screen.
PCap and Display Options Use this section to change output and debug options of cppcap.Click to Show/Hide
Set Snaplength Specify how much of the packet cppcap should capture.
Default: 96 bytes. Set to "0" to capture all.
[number]: Specify the [number] of bytes to capture.
Default snaplength set.
Default: 96 bytes. Set to "0" to capture all.
[number]: Specify the [number] of bytes to capture.
Default snaplength set.
Set Packet Count Specify how many packets cppcap should capture.
[number]: Specify the [number] of packets to capture.
No capture limit set.
[number]: Specify the [number] of packets to capture.
No capture limit set.
Set byte Count Specify how many bytes cppcap should capture.
[number]: Specify the [number] of bytes to capture.
No byte limit set.
[number]: Specify the [number] of bytes to capture.
No byte limit set.
PCap Filter Options
Filter Create your packet capture filter with these selectors. You can also negate the item by selecting the "not" option.
On any newly created filter option, you must specify the operand to use.
Operand:
On any newly created filter option, you must specify the operand to use.
Operand:
Layer-2
Layer-3
Layer-4
Other
Layer-3
Layer-4
Other
fw ctl debug 0
fw ctl debug -buf 50
fw ctl debug -t info -f common
fw ctl kdebug -t -f
fw ctl debug -buf 50
fw ctl debug -t info -f common
fw ctl kdebug -t -f
Command Syntax Options Use these options to set the command-line syntax options which will change how fw ctl debug works and displays output.
Type and Frequency The "type" option will only report messages at the level set or any after it in the following order: ERR, WRN, NOTICE, INFO. Setting "NONE" will not print any messages.
The "frequency" option will restrict the messages even more. Setting to "COMMON" will, by default, include "RARE" however "RARE" will not include "COMMON".
Type: Frequency:
The "frequency" option will restrict the messages even more. Setting to "COMMON" will, by default, include "RARE" however "RARE" will not include "COMMON".
Type: Frequency:
Output to File Specify whether or not to save output to a file. Leave blank for standard output (display to screen).
Output to screen.
Output to screen.
Debug Module Options
capture match
Command Syntax Options Use these options to set the command-line syntax options which will change how the ASA PCap works and displays output.
PCap and Display Options Use this section to change output and debug options of asapcap.Click to Show/Hide
PCap Filter Options (raw-data)
Filter Create your packet capture filter with these selectors.
Layer-3 Protocol Enter a Layer-3 protocol number [0-255] or the ASA built-in name for the protocol you want to capture on. For any Layer-3 protocol running on IPv4, use "ip".
Cisco Built-in Protocol Names
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
ospf
pcp
pim
pptp
snp
tcp
udp
Layer-3 Source IP and Subnet Mask Specify the source address to match or use "any" for any IP address.
IPv4 (1.2.3.4)
any
Layer-4 Source Port Specify the source port to match or leave blank for any port.
0-65535
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nfs
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
Layer-3 Destination IP Specify the destination address to match or use "any" for any IP address.
IPv4 (1.2.3.4)
any
Layer-4 Destination Port Specify the destination port to match or leave blank for any port.
0-65535
Layer-3 Protocol Enter a Layer-3 protocol number [0-255] or the ASA built-in name for the protocol you want to capture on. For any Layer-3 protocol running on IPv4, use "ip".
Cisco Built-in Protocol Names
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
ospf
pcp
pim
pptp
snp
tcp
udp
Layer-3 Source IP and Subnet Mask Specify the source address to match or use "any" for any IP address.
IPv4 (1.2.3.4)
any
Layer-4 Source Port Specify the source port to match or leave blank for any port.
0-65535
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nfs
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
Layer-3 Destination IP Specify the destination address to match or use "any" for any IP address.
IPv4 (1.2.3.4)
any
Layer-4 Destination Port Specify the destination port to match or leave blank for any port.
0-65535
Command-Line Tools
This area has a collection of command-line utilities for different platforms. You can see which commands will run on each platform based on the icon beside it. These commands do not auto-update the command bar. You must press the "Generate Command" button for it to work.
IPv4/IPv6 Interface Configuration
Device Type: Command Type: IP Version:
Interface: Specify the interface name to configure.
IP Address: Enter the IP address to assign to the interface.
Subnet: Use slash notation for all types except ASA which requires dotted decimal.
IP Address: Enter the IP address to assign to the interface.
Subnet: Use slash notation for all types except ASA which requires dotted decimal.
IPv4/IPv6 Static Route Configuration
Device Type: Command Type: IP Version:
Route ID: Enter the route ID number
Destination: Specify the destination route target.
Example: 1.2.3.0/24
Gateway IP: Enter the Gateway IP address to use for this route.
Interface: Enter the interface name to use.
Destination: Specify the destination route target.
Example: 1.2.3.0/24
Gateway IP: Enter the Gateway IP address to use for this route.
Interface: Enter the interface name to use.