1.tcpdump 通常用来抓包处理经过网卡的交互包
[Expert@BJ-OFFICE-GW:0]# tcpdump -nni any host 10.158.1.100 -w /var/log/tcpdump20190821.cap
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
2.fw monitor 通常用来通过CP的虚连接来查看报文的交互过程,最常用
fw monitor -e "host (x.x.x.x) or host(y.y.y.y), accept;" -o /var/log/20190821.cap
[Expert@BJ-OFFICE-GW:0]# fw monitor -e "host (10.158.1.100) , accept;" -o /var/log/2019082102.cap
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
933 monitor: caught sig 2
monitor: unloading
3. fw ctl zdebug 工具
# fw ctl zdebug + drop | grep 10.158.1.100> /var/log/2019082203.txt
[Expert@BJ-OFFICE-GW:0]# fw ctl zdebug + drop | grep 10.158.1.100> /var/log/2019082203.txt