Welcome to tcpdump101.com


Module Status

tcpdump
Usability: 100%
Functionality: 100%

fortigate
Usability: 100%
Functionality: 100%

check point
Usability: 100%
Functionality: 100%

Cisco ASA
Usability: 100%
Functionality: 60%

Please see the .plan section for news on the latest updates. (31-10-2018)


Keep in mind that if you run a packet capture on a live device without knowing the full implications of enabling the packet capture, you could cause network issues. By using this site you acknowledge that you are aware and soley responsible of the potential risks involved of your actions.

Click here to continue




Prefer the older version (not maintained)? Click here
--> --> --> --> --> --> --> --> --> -->
menu

tcpdump


Syntax Options

PCap and Display Options

 
Name/Service Resolution
All Names and Services will be printed.
Don't resolve hostnames. (-n)
Don't resolve hostnames or service names. (-nn)

 Link-Level Headers (MAC Addresses)
Link-Level Headers will not be printed.

 Quick Display
Print information normally.

Time Options
Print time normally.
Time will not be printed.(-t)
Time will be printed in seconds since Jan 1, 1970. (-tt)
Time will be printed as a Delta since the previous packet. (-ttt)
Time will be printed with the calendar date. (-tttt)
Time will be printed as a Delta since the start of the command. (-ttttt)

Verbosity Level
No verbosity set.
First level of verbosity set. (-v)
Second level of verbosity set. (-vv)
Full level of verbosity set. (-vvv)

Full Packet Display
Payloads will not be printed.
Payloads will be printed in Hex and ASCII without Link-Level Headers. (-X)
Payloads will be printed in Hex and ASCII with Link-Level Headers. (-XX)

 Set Snaplength
Default set (all 65535 bytes).

Set Count
No capture limit set.

 BGP Display Option
Print BGP AS number as ASPLAIN.

 Checksum Verification
Attempt to verify checksums.

 Domain Name Printing
Domain names will be printed.


File Options


Information-only Options

 
List Available Interfaces
Do not list interfaces. Run an actual PCap.

List Available Timestamp Types
Do not list timestamp types. Run an actual PCap.

Dump Information as Code
Do not list dump information. Run an actual PCap.
Dump compiled packet-matching code. NOTE: Setting this will override all other options and NOT run a PCap. (-d)
Dump packet-matching code as C program fragments. NOTE: Setting this will override all other options and NOT run a PCap. (-dd)
Dump packet-matching code as decimal numbers. NOTE: Setting this will override all other options and NOT run a PCap. (-ddd)
Filter Options
Filter Option (?)IMPORTANT
There is limited error checking performed on the filters. Please see the "Help" section at the side to learn more.


not

diagnose sniffer packet '' 1 0


Syntax Options
Verbosity Level
Level 1
Level 2
Level 3
Level 4
Level 5
Level 6
Set Count

No capture limit set.
Print Absolute Timestamp
Absolute timestamps will not be printed.
Filter Options
Filter Option (?)IMPORTANT
There is limited error checking performed on the filters. Please see the "Help" section at the side to learn more.


not
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug enable


Filter Options

IP Version: IPv4 IPv6


Show Function Name: Off On


Show iprope: Off On


Number of Trace Packets (?)Required
Specify the number of packets this trace will display.


ERROR! Trace number must be a number between 1-999


Layer-3 Protocol (?)Optional
Specify the Layer-3 protocol to filter on. (1-255)

PROT:
Layer-4 Ports (?)Optional
Specify the Layer-4 TCP or UDP port(s) to filter on.
Options are:

Source or Destination (S||D)
Source only (SRC)
Destination only (DST)

S||D:
SRC :
DST :
This is the area for debugging VPNs in FortiGate.
Anatomy of IPSec
Main Mode
fw monitor -e "accept ;"


highlight command
To get the full output of fw monitor you should disable Secure XL with the command: "fwaccel off" You can re-enable it after with the command: "fwaccel on". Keep in mind that this could have performance impacts.
Syntax Options

Specify VSX Machine ID

No VSX.
Save Output to File
Off On

Output to STDOUT.

Debug and Display Options
 
UUID/SUUID Display
Do not display UUID or SUUID.
Display UUID for every packet. Syntax: (-u)
Display SUUID for every packet. Syntax: (-s)

Debugging Level
No debugging will be displayed.
Debugging level 1. Syntax: (-d)
Maxiumum debugging will be displayed. Syntax: (-D)

Buffered Output
Print packets to STDOUT buffered.

Raw Packet Display
Payloads will not be printed.

Set Snaplength

Do not limit length of packet data captured.

Set Inbound Count

No capture limit set.

Set Outbound Count

No capture limit set.
Chain Position Options
Filter Options
Filter Option (?)IMPORTANT
There is limited error checking performed on the filters. Please see the "Help" section at the side to learn more.


not
fw ctl debug 0
fw ctl debug -buf 50
fw ctl debug -t info -f common

fw ctl kdebug -t -f


highlight command
Note: You should run fw ctl debug 0 after your debug is complete to reset all debugging options back to default.
Module Options




error warning ioctl memory misc flofiler

driver pools vbuf pm rem sm

dfa pmdump pmint htab ghtab mtctx

queue thread thinfa salloc pcre kw

shmem swblade kqstats stat usrmem worker

handles bench memprof timers




error warning memory pm compile dfa




error warning cookie crypt domain ex

driver filter hold if install ioctl

kbuf ld log machine memory misc

packet q xlate xltrc conn synatk

media sip vm chain bridge tcpstr

scv highavail ipv6 packval sync ipopt

link nat cifs drop route citrix

misp portscan leaks mgcp sock mail

spii chainfwd msnms wire balance dynlog

smtp wap content mrtsync sam sock

malware cmi aspii dos advp multik

netquota monitor monitorall dfilter integrity epq

cvpnd cptls ftp nac span ucd

acct dlp ua icmptun dnstun ips

rad te zeco user shmem utest

qos context prof connstats nat64 ntup

event cgnat sctp




error init h225 h245 ras decode

align cpas




error warning echo policy ioctl run

persist memory init vm cplog csv

io url kisspm




error warning info tree map mem utf8

utf7




fatal error warning info timestamp connection

session parser body global stat memory

address policy pfinder regexp coverage report_mgr

spii uuid ioctl module mem_pool pkt_dump

subject sslt cookie stream vs flow

event ssl_insp parser_err crumb




error conn packet api message state

packet_err counter event quota ioctl lock

uid queue fwstats cache_tab vpn_multik temp_conns

prio




error warning info verbose address subject

timestamp memory vs coverage module webapi

htab




error drv cmi stat identity rulebase




error warning info verbose address subject

timestamp memory vs coverage module buffer

serialize policy




packet parse parse2 state state2 log

log2 create create2 delete delete2 update

modify other other2 tpdu policy ld

ioctl error sxl dbg




driver err packet policy sas rdp

pcktdmp queue init sr mem comp

xl counters mspi cphwd ref vin

cluster nat l2tp tnlmon warn tcpt

tagging ike ifnotify resolver gtp topology

multik multicast osu lsv rsl om_alloc




error warning info verbose address subject

timestamp memory vs coverage datastruct common

decoder parser cipher crumb flow




error warning info verbose address subject

timestamp memory vs coverage module policy

tables fwapp upapp db mgr clob

memory vpn report sna crumbs mutex

topo update cpdiag




fatal error warning info stat memory

analyzer spider flow stream disasm lock




error warning info verbose address subject

timestamp memory vs coverage module connection

policy sigload global_states inspect cpcode parsers_is




error warning info verbose address subject

timestamp memory vs coverage module session

policy match appi ssl_insp dlp sec_rb




fatal error warning info general serialize

load engine field




error warning info verbose address subject

timestamp memory vs coverage global cache




fatal error warning info timestamp connection

session parser body global stat memory

address policy pfinder regexp coverage report_mgr

spii uuid ioctl module mem_pool pkt_dump

subject sslt cookie stream vs flow

event ssl_insp parser_err crumb




error warning info verbose address subject

timestamp memory vs coverage module connection

policy global observer account limit urlf_ssl

btime referrer




error warning info verbose address subject

timestamp memory vs coverage module connection

policy manager clob memory account rulebase

urlf_ssl btime log limit sec_rb prob

prob_impl vpn mab match stats




error warning info verbose address subject

timestamp memory vs coverage module global

memory ioc te av policy




fatal error warning info track timestamp

coverage subject memory module session address

vs regexp ioctl policy profile filter

uf av crypto stat




fatalerrorwarninginfomgr




error warning info verbose address subject

timestamp memory vs coverage global module

policy




error warning info verbose address subject

timestamp memory vs coverage module global

memory filetype normalize parser upload




error warning info verbose address subject

timestamp memory vs coverage module mngr

policy engine cmi ctx slowpath filecache

observer




error warning tcp api glue events

conns pkts timer tcpinfo http ftp

skinny notify sync icmp
This is the area for debugging VPNs in Check Point
capture interface match
capture interface
capture type webvpn user

Important: This page is still being worked on as there are many types of ASA captures. Please check back for a more complete version and/or follow me on Twitter @Grave_Rose for version announcements.

Syntax Options
Capture Name (?)Required
Specify the name of the capture.


ERROR: Capture name not specified!

Interface (?)Required
Specify the interface to capture on.


ERROR: Interface not specified!
Filter Options

Filter Option (?)IMPORTANT
There is limited error checking performed on the filters. Please see the "Help" section at the side to learn more.

Select ASA Capture Type:





Enter username to capture WebVPN traffic on:



Table of Contents


     0. Basic Overview and Warnings
     1. tcpdump
     2. Fortigate
       2.1 Fortigate PCap
       2.2 Fortigate Flow Debugs
     3. Check Point
       3.1 Check Point fw monitor
       3.2 Check Point Kernel Debugs
     4. Cisco ASA


0. Basic Overview and Warnings

    tcpdump101.com has been designed to help people capture packets on different devices to assist with network troubleshooting, service troubleshooting and even passive red team activities. There is an assumption that the user has a basic understanding of what they want to capture - As much as this is a tool to help people, the user has to use their own logic since every situation is different. That being said, I strongly suggest that if you're just starting out with packet captures to grab a copy of Virtual Box and play around with Linux and tcpdump. Although tcpdump may not be what you ultimately use, it will give you an excellent understanding of what you'll see, even with other products and vendors.

    As a safety measure (if at all possible) make sure to set a capture limit on your PCaps. If you make a mistake building your filters, you may end up captuing a lot of traffic. Although the odds are slim, there is a chance that your PCap could fill the NIC buffer and start dropping packets. The worst-case scenario is that it runs out of memory while you're logged in remotely. With today's hardware, it most likely won't happen however you should always expect the best and plan for the worst.

Input Filter Validation
    You may have noticed that you can sometimes type in whatever you'd like into some of the filter input areas. For instance, if you add a filter based on IPv4/IPv6 Address Filter, you can put in almost anything. As an example, you can put in "host 1.2.3.4.5.6.7.why.does.this.work" and there are no complaints.

    For right now, at least, I haven't worked in the options to filter based on IP address versus hostname. "Why not?", you ask. First off, my programming skills are pretty poor and I haven't looked into this. Yes, I could create three kinds of Host-based filters (one for IPv4, one for IPv6 and one for name-based) but I want to keep the user-experience as simple as possible. Flooding users with too many options may overwhelm some people. Since I don't know what the user will be entering (IP address or hostname), I'm letting them (you) put in whatever you want so long as it's just numbers, letters, hyphens, dots or colons.

    You may also notice that there is no strict enforcement on the operand conditions (None, And, Or, And Not, Or Not). The issue with this is that there is sometimes a need to select the "None" option. For example, when setting your filter to: "host 1.2.3.4 and \(port 22 or port 23\)". Here you can see that there is no operand after the "\(" nor is there one after "port 23". I'm going on the assumption that people either (a) know a little about building filters or (b) will learn as they go. If creating a filter that makes no logical sense produces an error when running the command, the user will learn how to build their filters properly.
Filter Overview
    Listed below are the filters for the "tcpdump" module however the information contained within apply to all modules which support these filters.
IPv4/IPv6 Address Filter

Source or Destination of Packet: Host Name/IP
    Here you can enter an IPv4 address (1.2.3.4), an IPv6 address (2001:bad:c0ff:ee::c0de), a hostname (alice) or a domain name (www.google.ca) to filter packets coming from or going to the host specified. You can use: Numbers, colons, dots, hyphens, underscores and letters. Apart from that, there is no error checking so make sure you have entered your information correctly.

Source or Destination of Packet: Network
    This option allows you to specify an IPv4 network (10.20.30.0/24), an IPv6 network (2001:dead:beef::/64) or a network name (present in /etc/networks on your system) to filter for packets coming from or to this network specified. You can use: Numbers, colons, forward slashes, hyphens, underscores or letters. Apart from that, there is no error checking so make sure you have entered your information correctly.

Source of Packet: Host/IP
    This option allows you to enter an IPv4 address (1.2.3.4), an IPv6 address (2001:bad:c0ff:ee::c0de) a hostname (alice) or a domain name (www.google.ca) to filter packets being sourced from the host specified. You can use: Numbers, colons, dots, hyphes, underscores and letters. Apart from that, there is no error checking so make sure you have entered your information correctly.

Source of Packet: Network
    Here you can enter an IPv4 network (10.20.30.0/24), an IPv6 network (2001:dead:beef::/64) or a network name (present in /etc/networks on your system) to filter for packets sourced from the network specified. You can use: Numbers, colons, forward slashes, hyphens, underscores or letters. Apart from that, there is no error checking so make sure you have entered your information correctly.

Destination of Packet: Host/IP
    This option allows you to enter an IPv4 address (1.2.3.4), an IPv6 address (2001:bad:c0ff:ee::c0de) a hostname (alice) or a domain name (www.google.ca) to filter packets being destined to the host specified. You can use: Numbers, colons, dots, hyphes, underscores and letters. Apart from that, there is no error checking so make sure you have entered your information correctly.

Destination of Packet: Network
    Here you can enter an IPv4 network (10.20.30.0/24), an IPv6 network (2001:dead:beef::/64) or a network name (present in /etc/networks on your system) to filter for packets destined to the network specified. You can use: Numbers, colons, forward slashes, hyphens, underscores or letters. Apart from that, there is no error checking so make sure you have entered your information correctly.

Additional Filters

Layer 2 Ethernet Address
    ether host (source or destination)
      This option will let you specify an Ethernet (MAC) address to filter on. This must be six hextet groups seperated by hyphens, colons or dots (00.01.02.03.04.05 or 00-01-02-03-04-05 or 00:01:02:03:04:05). This option will capture packets from or to the specified address.
    ether src (source only)
      This option will let you specify an Ethernet (MAC) address to filter on. This must be six hextet groups seperated by hyphens, colons or dots (00.01.02.03.04.05 or 00-01-02-03-04-05 or 00:01:02:03:04:05). This option will capture packets sourced from the specified address.
    ehter dst (destination only)
      This option will let you specify an Ethernet (MAC) address to filter on. This must be six hextet groups seperated by hyphens, colons or dots (00.01.02.03.04.05 or 00-01-02-03-04-05 or 00:01:02:03:04:05). This option will capture packets destined to the specified address.

Layer 3 Protocol Number
    Selecting this option will allow you to filter on Layer-3 protocol number - See http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml for more information. You can use any number from 0 through 255 (inclusive) or a common name (under /etc/protocols on your system). You can use: numbers, hyphens, underscores, dots, colons and letters. Apart from that, there is no error checking so make sure you have entered your information correctly.

Layer 4 Port Number
    By choosing this option, you can filter on Layer-4 (TCP or UDP) port numbers - See http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml for more information. You can use any number from 0 through 65535 (inclusive) or a common name (under /etc/services on your system). You can use: numbers, hyphens, underscores, dots, colons and letters. Apart from that, there is no error checking so make sure you have entered your information correctly.

    port (source or destination)
      This will filter on traffic on the specified port coming from or destined to the specified port.
    src port (source)
      This will filter on traffic coming from the specified port.
    dst port (destination)
      This will filter on traffic destined to the specified port.
    portrange
      Enter with a range value such as: 22-80. This will capture traffic coming from or deestined to any ports in the range listed.
    src portrange (source portrange)
      Enter with a range value such as: 22-80. This will capture traffic coming from any ports in the port range listed.
    dst portrange (destination portrange)
      Enter with a range value such as: 22-80. This will caputure traffic destined to any ports in the port range listed.

Precedence

The open "(" and close ")" markers indicate a logic gate. Whereas filters built without this are read all at once (non-technically speaking), anything enclosed within the parenthesis markers is almost a sub-logic loop. Let's say you wanted to capture all TCP traffic but you also wanted to capture UDP port 53. Here's how you can build that filter:

    tcp or \( udp and port 53 \)

The first option tells tcpdump to capture ONLY TCP packets which would eliminate our second requirement to capture UDP traffic. So we add an OR statement so that we can get TCP traffic OR UDP traffic so long as the UDP traffic is on port 53. If we wrote it without the parenthesis like this:

    tcp or udp and port 53

We would only capture port 53 traffic either over TCP or UDP but we wouldn't capture ALL TCP traffic since we've limited the capture to port 53.

Protocol Filters

ARP (Address Resolution Protocol)
    Selecting this will only capture ARP packets (either who-has or tell).

RARP (Reverse Address Resolution Protocol)
    Selecting this will only capture RARP packets (mostly obsoleted now).

VLAN Specific
    Here you can specify which VLAN tags to capture for. Keep in mind that if you are running tcpdump on a machine connected to an access port, you probably don't need to specify a VLAN ID. Check with your switch administrator to find out. Any additional traffic will be ignored. You may use numbers only. That is the only error checking performed so make sure you have entered your information correctly.
    If you are performing mathematical filters, keep in mind that the offset increments by four (4) every time you add a VLAN filter.

IPv4 Only
    By selecting this option, only packets running on IPv4 will be captured. Anything else (IPv6, DECNet, Appletalk, etc) will be ignored.

IPv6 Only
    By selecting this option, only packets running on IPv6 will be captured. Anything else (IPv4, DECNet, Appletalk, etc) will be ignored.

TCP Only
    By default, this will capture any TCP traffic (this is synonymous with "proto 6"). From here, you can also filter on TCP specific flags:

      TCP SYN Flag: Capture packets if the "S" flag is set. This will capture SYN/ACK packets since the SYN flag is on.

      TCP ACK Flag: Capture packets if the "." flag is set. This will capture SYN/ACK, ACK and FIN/ACK packets since the ACK flag is on.

      TCP PSH Flag: Capture packets if the "P" flag is set.

      TCP URG Flag: Capture packets if the "U" flag is set.

      TCP RST Flag: Capture packets if the "R" flag is set.

      TCP FIN Flag: Capture packets if the "F" flag is set.
UDP Only
    This will capture any UDP traffic (this is synonymous with "proto 17").

ICMP Only
    By default, this will capture any ICMP (IPv4) traffic (this is synonymous with "proto 1"). From here, you can also filter on specific ICMP Types and Codes as well as inputting your own ICMP Types or Codes.

      All ICMP: Captures all ICMP packets

      ICMP Echo Reply Only: Will capture ICMP Echo Replies (Type 0 Code 0)

      ICMP Unreachable Only: Will capture ICMP Unreachable messages (Type 3 Code all)

      ICMP Source Quench: Will capture ICMP Source Quench (Type 4 Code 0)

      ICMP Redirect: Will capture ICMP Redirect messages (Type 5 Code all)

      ICMP Echo Only: Will capture ICMP Echo requests (pings) (Type 8 Code 0)

      ICMP Router Advertisement Only: Will capture Router Advert messages (Type 9 Code all)

      ICMP Router Solicitation: Will capture clients soliciting a router (Type 10 Code 0)

      ICMP Time Exceeded: Will capture TTL Error messages (Type 11 Code all)

      ICMP Parameter Problem: Will capture Paramater Problem messages (Type 12 Code all)

      ICMP Timestamp: Will capture ICMP Timestamp requests (Type 13 Code 0)

      ICMP Timestamp Reply: Will capture ICMP Timestamp replies (Type 14 Code 0)

      ICMP Information Request: Will capture deprecated Information Requests (Type 15 Code 0)

      ICMP Information Reply: Will capture deprecated Information Replies (Type 16 Code 0)

      ICMP Mask Request: Will capture deprecated subnet mask requests (Type 17 Code 0)

      ICMP Mask Reply: Will capture deprecated replies of mask requests (Type 18 Code0)


ICMPv6 Only
    This will filter for ICMP over IPv6 only. Right now (December, 2015) there are no high-level ways of filtering for specific codes.

PPPoE Discovery
    By setting this filter option, you will only capture PPPoE Discovery packets. These are sent out during the initial Discovery Phase of PPP negotiation

PPPoE Session
    By default, this will capture all PPPoE Session packets. You can also specify the Session ID you would like to capture by selecting the sub-option "Specify PPPoE Session ID". Here, you are allowed to use numbers only so make sure you have entered your information correctly.

MPLS
    This will allow you to filter for MPLS traffic specifically. You can also specify the MPLS ID you would like to capture by selecting the sub-option "Specify MPLS ID". Here, you are allowed to use numbers only so make sure you have entered your information correctly.

Create Your Own Filter

1. tcpdump

tcpdump is a packet capturing utility commonly found on Linux, BSD, Unix and other Unix-like operating systems including Check Point GAiA. By specifying an interface, tcpdump will listen on that specific interface and, by default, print packets to STDOUT.

Here is the general usage for using the tcpdump module:
    - At the very least, enter the interface name on the left you want to run tcpdump on.
    - On any option, hover your mouse over the (?) icon to get context-related help.
    - On the left-hand side are your Syntax Options. These are the command-line switches that tcpdump takes.
      * There is pretty-good error checking here.
    - On the right-hand side are your Filter Options. These allow you to build your tcpdump fitlers to capture only the traffic you are interested in. - When adding a new filter, you will be presented with operand options: None, And (default), Or, And Not, Or Not.
    - Once you have created your tcpdump command, copy it from the top bar and run it. Note that you may require root, sudo or group permissions to run the command. Check with your administrator or just try running the command prefaced with "sudo". :)

2. FortiGate

FortiGate is the mainstay firewall by Fortinet which is an all-in-one appliance offering everything from basic firewalling to full UTM.

2.1 FortiGate PCap

Here is the general usage for using the FortiGate PCap module:
    - At the very least, enter the interface name on the left you want to run your PCap on.
    - On any option, hover your mouse over the (?) icon to get context-related help.
    - The left-hand side contains the Syntax Options. You can set the verbosity (higher number = more information), the number of packets to capture and printing of the timestamps.
    - On the right-hand side are your Filter Options. These allow you to build your PCap fitlers to capture only the traffic you are interested in. - When adding a new filter, you will be presented with operand options: None, And (default), Or, And Not, Or Not.

2.1 FortiGate Flow Debugs

Here is the general usage for using the FortiGate Flow Debug module:
    - The top three boxes have settings you can enable or disable. These are toggle switches meaning that both can't be on at the same time.
      - IP Version: Selects either IPv4 or IPv6 for the debugs.
      - Show Function Name: Selects whether or not the function processing the packet will be displayed in the debug.
      - Show IPROPE: Selects whether or not IPROPE information will be displayed in the debug.
    - You must specify the number of packets to be used for the trace. Keep in mind that this is a debug function and not a direct PCap. This means that you can probably set this to a low number since every packet (until the count is hit) will display full debug information.
    - Lastly, you can also filter on Layer-3 address (Source or Destination, Source only or Destination only), Layer-3 Protocol number (1-255) as well as port number for Layer-4 services.

3. Check Point

Check Point firewall is one of the original commercial firewall vendors who continually expand their paltform offerings.

3.1 Check Point 'fw monitor' PCap

Here is the general usage for using the Check Point 'fw monitor' module:
    - You may need to disable SecureXL to capture all the packets as it passes through the Check Point kernel. Doing this will have an impact on traffic so disable it at your own risk!
    - If you are running VSX, ensure you specify the VSX machine ID to capture on.
    - You can save it to a file for reading in another application such as Wireshark.
    - In the "Debug and Display Options", you can set options as well as the Inbound and Outbound counts. These will terminate the 'fw monitor' once the number of packets has been reached.
    - Two other options are in the "Chain Position Options" which are only for advanced users.
    - On the right-hand side are your Filter Options. These allow you to build your PCap fitlers to capture only the traffic you are interested in.

3.2 Check Point 'fw ctl debug' Kernel Debugging

Here is the general usage for using the Check Point 'fw ctl debug' module:
    - Set the buffer size with the slider on the left. The default is 50k and can be reset with the button beside it.
    - You can set options such as the Type and Frequency as well as what type of timestamps you want applied and a file to save it to. If "Output to File" isn't specified, STDOUT will be used.
    - The right-hand side contains all the firewall modules and their options (as of R80.10 [22.08.18]) and can be enabled or disabled. Caution! Enabling a lot of debug modules may cause CPU issues.

4. Cisco ASA

Cisco is one of the top leaders in networking, routing and switching. Their ASA platform is fast, powerful and adaptive with new security technologies.

4.1 Cisco ASA PCap

Here is the general usage for using the Cisco ASA PCap module:
    - The "Network Capture (raw-data)" is the standar PCap utility on the ASA.
    - You must specify a name for your capture as well as which interface to capture on.
    - Setting the "trace" option on the right hand side will have the PCap utility print out information much like the "packet-trace" command. In a sense, this is a flow debug option.
    - Enabling the "real-time" option will have the PCap displayed in real-time instead of being run through a buffer. This may lose some pakcets.
    - You must also set the Layer-3 protocol where '6' is equal to 'tcp' and '17' is equal to UDP which will open up Layer-4 options.
    - Lastly, you must also set the source and destination addresses of the packet to match on. Using 'any' will capture all source or destination addresses.

Keyboard Shortcuts

    ctrl + 1 - Opens the "tcpdump" area.
    ctrl + 2 - Opens the "FortiGate" area.
    ctrl + 3 - Opens the "Check Point" area.
    ctrl + 4 - Opens the "ASA" area.
    ctrl + 5 - Opens the "Help" area.
    ctrl + 6 - Opens the "Settings" area.
    ctrl + 7 - Opens the "Download" area.
    ctrl + 8 - Opens the ".plan" area.
    ctrl + 9 - Opens the "Donation Contributors" area.

Download

    If you want to have your own copy of tcpdump101.com locally, feel free to grab it. It's written in basic HTML, JavaScript and CSS so there is no server required - Just download the files to your computer and open them in your web browser. Very useful if you ever find yourself in a network down situation and you need to build PCaps but have no Internet connection.

    The easiest way of downloading your own copy of tcpdump101.com is with the wget utility. Here are the commands to get the tool:

      Prod/Stable: wget -r https://tcpdump101.com
      Development: wget -r http://dev.tcpdump101.com
      Old (not maintained): wget -r https://tcpdump101.com/old/

cat ~/.plan

Social

Notes

    - The Check Point kernel debug options look pretty messy, but they work. I needed a way to have items added or removed but each modifier (+ and -) require their own line. So whenever a change is made to the module debugs, we parse over the entire list and put them in their own category. Lastly, we print that category even if it's only one item changed. I'll probably try to find a way to pretty it up later, but that's a tomorrow kind of problem. :)

Latest Updates

31-10-2018
    - Updated the "TCP Only" options to be "TCP Only (including tcpflags)" on modules that support it.
    - Fixed a bug where if you selected a filter option (such as Layer-3 Protocol) but left it blank or in an error state, the tcpdump module wouldn't load the "TCP Only (including tcpflags)" option properly. Thanks to Sven Glock on the Check Mates (https://community.checkpoint.com/thread/9013-tool-httpstcpdump101com ) site for discovering this bug.
17-09-2018
    - Updated the left menu to be more streamlined.
    - Changed the left menu and main area to be percentages instead of hardcoded widths.
01-09-2018
    - Changed the information boxes below inputs to be regular font instead of "small-caps". This was pointed out by a thread in Hacker News.
    - Added an extra space below the outputted commands at the top to make it a bit easier to see. This was suggested by Check Point CheckMates.
    - Added red highlighting behind the first "not" filter to make it a bit easier to see. This was suggested by Check Point CheckMates.
    - Added a small flash of colour whenever something is added to the commands to draw attention to it. This was suggested by Check Point CheckMates.
    - Changed the interface error to a warning if some special characters are inputted. This was suggested by @gbraad

ToDo

    - Add a flow debug for the FortiGate section. Done!
    - Add kernel debug for the Check Point section. Done!
    - Get an ASA and finish up the capture types.
    - Add the packet-tracer for the Cisco section.
    - Add the VPN debug for the Cisco section.

Future Ideas

    - Put in some error checking and have an icon that will show whether or not the filter is valid.
    - Create some themes like the old version.

About

    I created tcpdump101.com after using RegEx101.com which is a fantastic resource for creating and validating regular expressions. Having been involved in NetSec for about twenty years now, I realized that a lot of people struggle with packet captures. I thought about what I could do to give back to the community that I've been a part of for such a long time and this is what I came up with. It may not be the be-all-and-end-all of networking tools, but as long as it helps people learn, I'm glad to have created it.

      - Gr@ve_Rose

Donation Contributors

    Thanks to the following people who have donated to help keep this site up and running. If you'd like to donate, you can visit my PayPal donations page to make a monetary donation. The list is updated manually so if you make a donation and your name doesn't appear in a few days, contact me at: tcpdump101 -at- gmail [dot] com