interval milliseconds

Specifies the time interval in milliseconds between heartbeat messages. You can adjust the interval in increments of 100 milliseconds. The default is 1000. The allowed range is 100 to 6000 for release 6.2.2 and following, but 300 to 6000 for older releases.

A loss of consecutive heartbeat messages up to the retry count triggers a failure notification to the rest of the system. The default of 1000 milliseconds provides an aggressive failure detection setting with the risk of false failure detections.

retry-count integer

Specifies the number of times the app-agent should retry the heartbeat message if there is no response, or the app-agent receives an error response for the heartbeat message, from 3 to 10. The default is 3.

option

Enables the transactional commit model for the rule engine for the selected policies. Options include:

• access-group —Access rules applied globally or to interfaces.

• nat —Network address translation rules.

memory_size

(Optional) Sets the memory size for block diagnostics in bytes, instead of applying the dynamic value. If this value is greater than free memory, an error message appears and the value is not accepted. If this value is greater than 50% of free memory, a warning message appears, but the value is accepted.

any4

Specifies any IPv4 address instead of a single IP address and mask.

any6

Specifies any IPv6 address instead of a single IP address and mask.

all

Captures all packets dropped by the accelerated security path.

asp-drop drop-code

(Optional) Captures packets dropped by the accelerated security path. The drop-code specifies the type of traffic that is dropped by the accelerated security path. See the CLI help for a list of drop codes. You can enter this keyword with the packet-length , circular-buffer , and buffer keywords, but not with the interface or ethernet-type keyword. In a cluster, dropped forwarded data packets from one unit to another are also captured.

buffer buf_size

(Optional) Defines the buffer size used to store the packet in bytes. Once the byte buffer is full, packet capture stops. When used in a cluster, this is the per-unit size, not the sum of all units. The maximum buffer size supported is 32 MB.

The buffer size and file size options are mutually exclusive.

capture_name

Specifies the name of the packet capture. Use the same name on multiple capture statements to capture multiple types of traffic. When you view the capture configuration using the show capture command, all options are combined on one line.

data-plane

Specifies the captured packets on the dataplane interface.

direction

(Optional. Supported on: Secure Firewall 1200, Secure Firewall 4200 devices.) Specifies the direction of the switch traffic to be captured. It can be one of the following:

• both —To capture switch bi-directional traffic

• egress —To capture switch egressing traffic

• ingress —To capture switch ingressing traffic

drop

Specifies the packet capture configuration of the mac-filter drop:

• disable —To disable capture of packets dropped from switch.

• mac-filter —To capture switch mac-filter drop.

management-plane

Specifies the captured packets on the management interface.

circular-buffer

(Optional) Overwrites the buffer, starting from the beginning, when the buffer is full.

ethernet-type type

(Optional) Selects an Ethernet type to capture. Supported Ethernet types include 8021Q, ARP, IP, IP6, IPX, LACP, PPPOED, PPPOES, RARP, and VLAN. An exception occurs with the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the inner Ethernet type is used for matching.

file-size file-size

(Optional) Specifies capturing packets to a file on disk, and the size of the file, from 32 MB to 10 GB.

The capture file will be created in flash memory (disk0:/) with the name capture_name.pcap .

When the file-size is configured, the hard disk memory (file) is used to write the captured data in the capture buffer. The captured data gets stored in the disk based on the filename.

The buffer size and file size options are mutually exclusive.

headers-only

(Optional) Selects Layer 2 and Layer 3/4 headers of packet to capture without data.

host source_ip , dest_ip

Specifies the single IP address of the host to or from which the packet is being sent.

include-decrypted

(Optional) Captures decrypted IPsec packets which contain both normal and decrypted traffic once they enter the firewall device. It also captures packets of SSL decrypted traffic. However, this option is not applicable for VTI tunnel as packets are seen in decrypted format only on the VTI interface; not on the outside like for crypto map VPN.

inline-tag tag

Specifies a tag for a particular SGT value or leaves it unspecified to capture a tagged packet with any SGT value.

interface interface_name

Sets the name of the interface on which to use packet capture. You must configure an interface for any packets to be captured except for type asp-drop . You can configure multiple interfaces using multiple capture commands with the same name. To capture packets on the management plane, you can use the interface keyword with asa_mgmt_plane as the interface name.You can specify cluster as the interface name to capture the traffic on the cluster control link interface. To capture packets on the internal backplane interface when you enable the Firewall Management Center access on a data interface, specify nlp_int_tap . If the type lacp capture is configured, the interface name is the physical name.

ikev1 , ikev2

Captures only IKEv1 or IKEv2 protocol information.

isakmp

(Optional) Captures ISAKMP traffic for VPN connections. The ISAKMP subsystem does not have access to the upper layer protocols. The capture is a pseudo capture, with the physical, IP, and UDP layers combined together to satisfy a PCAP parser. The peer addresses are obtained from the SA exchange and are stored in the IP layer.

lacp

(Optional) Captures LACP traffic. If configured, the interface name is the physical interface name.

mask

The subnet mask for the IP address, for example, 255.255.255.0 for a Class C mask.

match protocol

Specifies the packets that match the five-tuple to allow filtering of those packets to be captured. You can use this keyword up to three times on one line.

operator src_port , dest_port

(Optional) Matches the port numbers used by the source or destination. The permitted operators are as follows:

• lt —less than

• gt —greater than

• eq —equal to

• neq —not equal to

• range —range

packet-length bytes

(Optional) Sets the maximum number of bytes of each packet to store in the capture buffer.

persit

(Optional) Captures persistent packets on cluter units.

raw-data

(Optional) Captures inbound and outbound packets on one or more interfaces.

stop

Stop the packet capture without removing it. Use the no form of the command with this option to restart the capture.

trace trace_count

(Optional) Captures packet trace information, and the number of packets to capture. This option is used with an access list to insert trace packets into the data path to determine whether or not the packet has been processed as expected.

type

(Optional) Specifies the type of data captured.

domain

Specifies the domain where traffic is captured:

• 0—br1, captures traffic from the management interface

• 1—Router, captures traffic from the configured data interfaces

-A

Prints each packet (minus its link level header) in ASCII. Handy for capturing web pages.

-B

Sets the operating system capture buffer size to buffer_size.

-c

Exits after receiving count packets.

-C

Before writing a raw packet to a savefile, checks whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

-d

Dumps the compiled packet-matching code in a human readable form to standard output and stop.

-dd

Dumps packet-matching code as a C program fragment.

-ddd

Dumps packet-matching code as decimal numbers (preceded with a count).

-D

Prints the list of the network interfaces available on the system and on which tcpdump can capture packets. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.

This can be useful on systems that do not have a command to list them (Windows systems, or UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.

The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_findaclldevs() function.

-e

Prints the link-level header on each dump line.

-E

Uses spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi. This combination may be repeated with comma or newline separation.

-f

Prints ‘foreign’ IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's NIS server usually it hangs forever translating non-local internet numbers).

The test for ‘foreign’ IPv4 addresses is done using the IPv4 address and netmask of the interface on which capture is being done.

If that address or netmask are not available, available, either because the interface on which capture is being done has no address or netmask or because the capture is being done on the Linux 'any' interface, which can capture on more than one interface, this option will not work correctly.

-F

Uses file as input for the filter expression. An additional expression given on the command line is ignored.

-G

If specified, rotates the dump file specified with the -w option every rotate_seconds seconds.

Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.

If used in conjunction with the -C option, filenames will take the form of ‘file<count>’.

-I

Puts the interface in ‘monitor mode’; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.

-K

Does not attempt to verify TCP checksums.

This is useful for interfaces that perform the TCP checksum calculation in hardware; otherwise, all outgoing TCP checksums will be flagged as bad.

-l

Makes stdout line buffered. Useful if you want to see the data while capturing it. Example, ‘‘tcpdump -l | tee dat” or “tcpdump -l > dat & tail -f dat”.

-L

Lists the known data link types for the interface and exit.

-m

Loads SMI MIB module definitions from file module.

This option can be used several times to load several MIB modules into tcpdump.

-M

Uses secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.

-n

Does not convert addresses (i.e., host addresses, port numbers, etc.) to names.

-N

Does not print domain name qualification of host names.

Example, if you give this flag then tcpdump will print “nic” instead of “nic.ddn.mil”.

-O

Does not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.

-p

Does not put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {local-hw-addr} or ether broadcast'.

-q

Quick output. Prints less protocol information so output lines are shorter.

-R

Assumes ESP/AH packets to be based on old specification (RFC1825 to RFC1829). If specified, tcpdump will not print replay prevention field.

Because there is no protocol version field in ESP/AH specification, tcpdump cannot deduce the version of ESP/AH protocol.

-r

Reads packets from file (which was created with the -w option). Standard input is used if file is “-”.

-S

Prints absolute, rather than relative, TCP sequence numbers.

-s

Snarfs snaplen bytes of data from each packet rather than the default of 68 (with SunOS’s NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP, and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with “[|proto]”, where proto is the name of the protocol level at which the truncation has occurred.

Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 means use the required length to catch whole packets.

-T

Forces packets selected by ‘expression’ to be interpreted the specified type. Currently known types are aodv (Ad-hoc On-demand Distance Vector protocol), cnfp (Cisco NetFlow protocol), rpc (Remote Procedure Call), rtp (Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), snmp (Simple Network Management Protocol), tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), and wb (distributed White Board).

-t

Does not print a timestamp on each dump line.

-tt

Prints an unformatted timestamp on each dump line.

-ttt

Prints a delta (micro-second resolution) between current and previous line on each dump line.

-tttt

Prints a timestamp in default format proceeded by date on each dump line.

-ttttt

Prints a delta (micro-second resolution) between current and first line on each dump line.

-u

Prints undecoded NFS handles.

-U

Makes output saved via the -w option “packet-buffered”; i.e., as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills.

The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.

-v

When parsing and printing, produces (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

When writing to a file with the -w option, report, every 10 seconds, the number of packets captured.

-vv

Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

-vvv

Even more verbose output. For example, telnet SB... SE options are printed in full. With -X Telnet options are printed in hex as well.

-w

Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is “-”.

-W

Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin over writing files from the beginning, thus creating a ‘rotating’ buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

-x

When parsing and printing, in addition to printing the headers of each packet, prints the data of each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the required padding.

-xx

When parsing and printing, in addition to printing the headers of each packet, prints the data of each packet, including its link level header, in hex.

-X

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII.

This is very handy for analyzing new protocols.

-XX

When parsing and printing, in addition to printing the headers of each packet, prints the data of each packet, including its link level header, in hex and ASCII.

-y

Sets the data link type to use while capturing packets to datalinktype.

-Z

Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user.

id

Name of an access list.

statistics

Clears ARP statistics.

interface_name

Clears statistics for the specified interface.

access-list acl_name

Clears the hit counters only for a specified access list.

arp

Clears the hits counters in ASP ARP tables only.

classify

Clears the hits counters in ASP classify tables only

cluster counter

Clears cluster counters.

counters

Clears the data-path inspection Snort counters.

dispatch

Clears dispatch statistics.

event

Clears data-path to control-plane event statistics.

filter

Clears the hits counters in ASP filter tables only

flow

Clears the dropped flow statistics.

frame

Clears the dropped frame/packet statistics.

inspect-dp ack-passthrough

Clears counters for empty TCP ACK packets that bypassed Snort inspection.

inspect-dp egress-optimization

Clears egress optimization statistics.

inspect-dp snort

Clears data-path inspection Snort statistics.

instance number

Clears the counters by instance ID.

load-balance history

Clears the history of ASP load balancing per packet and reset the number of times an automatic switch occurred

network-object

(Optional) Clears the hits counters in ASP network object tables only. These tables are used when object group search is enabled.

overhead

Clears all ASP multiprocessor overhead statistics.

packet-profile

Clears packet profile statistics.

queue number

Clears the counters by instance ID and queue ID.

queue-exhaustion

Clears the data-path inspection Snort queue snapshot.

snapshot number

Clears the queue exhaustion by snapshot ID.

table

Clears the hit counters in ASP ARP tables and ASP classify tables.

*

Specifies that all current BGP sessions will be reset.

as_number

(Optional) Number of the autonomous system in which all BGP peer sessions will be reset.

external

Specifies that all external BGP sessions will be reset.

in

(Optional) Initiates inbound reconfiguration. If neither the in nor out keywords are specified, both inbound and outbound sessions are reset.

ipv4 unicast

Resets BGP connections using hard or soft econfiguration for IPv4 address family sessions.

ipv6 unicast

Resets BGP connections using hard or soft econfiguration for IPv6 address family sessions.

neighbor_address

(Optional) Specifies that only the identified BGP neighbor will be reset. The value for this argument can be an IPv4 or IPv6 address.

out

(Optional) Initiates inbound or outbound reconfiguration. If neither the in nor out keywords are specified, both inbound and outbound sessions are reset.

soft

(Optional) Clears slow-peer status forcefully, and moves it to original update group.

table-map

Clears table-map configuration information in BGP routing tables. This command can be used to clear traffic-index information configured with the BGP Policy Accounting feature.

core-local [number]

(Optional) Clears system buffers queued by application for all cores, or if you specify the core number, a specific core.

exhaustion

(Optional) Clears the exhaustion condition.

export-failed

(Optional) Clears the export failed counters.

history

(Optional) Clears the history.

queue

(Optional) Clears queued blocks.

snapshot

(Optional) Clears the snapshot information.

/all

Clears packets on all interfaces.

capture_name

Specifies the name of the packet capture.

is-neighbors

Clears intermediate-system neighbor routes.

neighbors

Clears all CLNS neighbor routes.

traffic

Clears CLNS protocol statistics.

flow-mobility counters

Clears the cluster flow-mobility counters.

health details

Clears cluster health information.

trace

Clears cluster event trace information.

transport

Clears cluster transport statistics.

address ip[-ip]

Clears connections with the specified source or destination IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example: 10.1.1.1-10.1.1.5

all

Clears all connections, including to-the-box connections. Without the all keyword, only through-the-box connections are cleared.

inline-set name

Clears connections that match the specified inline set.

netmask mask

(Optional) Specifies a subnet mask for use with the given IP address.

port port[-port]

Clears connections with the specified source or destination port. To specify a range, separate the port numbers with a dash (-). For example: 1000-2000

protocol {tcp | udp | sctp}

Clears connections with the specified protocol.

security-group {name | tag} attribute

Clears connections with the specified security group attribute.

user [domain_nickname\] user_name

Clears connections that belong to the specified user. When you do not include the domain_nickname argument, the system clears connections for the user in the default domain.

user-group [domain_nickname\\] user_group_name]

Clears connections that belong to the specified user group. When you do not include the domain_nickname argument, the system clears connections for the user group in the default domain.

zone [zone_name]

Clears connections that belong to a security zone.

[ vrf { name | global}]

If you enable virtual routing and forwarding (VRF), also known as virtual routers, you can limit the command to a specific virtual router using the vrf name keyword. Specify vrf global to limit the command to the global virtual router. If you omit this keyword, the command applies to all virtual routers.

data-rate

(Optional) Clears the current maximum data-rate stored.

all

(Optional) Clears all filter details.

counter_name

(Optional) Specifies a counter by name. Use the show counters protocol command to see available counter names.

detail

(Optional) Clears detailed counters information.

protocol protocol_name

(Optional) Clears the counters for the specified protocol.

summary

(Optional) Clears the counter summary.

threshold n

(Optional) Clears the counters at or above the specified threshold. The range is 1 through 4294967295.

top n

(Optional) Clears the counters at or above the specified threshold. The range is 1 through 4294967295.

module {0 | 1}

(Optional) Clears the crash file for a module in slot 0 or 1.

trustpoint trust_point_name

The name of a trustpoint. If you do not specify a name, this command clears all CRLs cached on the system. If you give the trustpoint keyword without a trustpointname, the command fails.

trustpool

Indicates that the action should be applied only to the CRLs that are associated with certificates in the trustpool.

noconfirm

Suppresses user confirmation prompts, and the command will be processed as requested.

sa ip_address

Clears the SA. To clear all IKEv1 SAs, use this option without specifying an IP address. Otherwise, specify the IPv4 or IPv6 address of the SA to clear.

stats

Clears the IKEv1 statistics.

sa ip_address

Clears the SA. To clear all IKEv2 SAs, use this option without specifying an IP address. Otherwise, specify the IPv4 or IPv6 address of the SA to clear.

stats

Clears the IKEv2 statistics.

ah

Authentication header.

counters

Clears all IPsec per SA statistics.

entry ip_address

Deletes the tunnel that matches the specified IP address/hostname, and protocol, and SPI value.

esp

Encryption security protocol.

inactive

Clears all inactive IPsec SAs.

map map_name

Deletes all tunnels associated with the specified crypto map as identified by map name.

peer ip_address

Deletes all IPsec SAs to a peer as identified by the specified hostname or IP address.

spi

Identifies the Security Parameters Index (a hexidecimal number). This must be the inbound SPI. We do not support this command for the outbound SPI.

sa

Clears IKEv1 and IKEv2 SAs.

stats

Clears IKEv1 and IKEv2 statistics.

protocol

Specifies the name of the protocol for which you want to clear statistics. Protocol choices are as follows:

• all —All protocols currently supported.

• ikev1 —Internet Key Exchange (IKE) version 1.

• ikev2 —Internet Key Exchange (IKE) version 2.

• ipsec —IP Security (IPsec) Phase-2 protocols.

• other —Reserved for new protocols.

• srtp —Secure RTP (SRTP) protocol

• ssh —Secure Shell (SSH) protocol

• ssl —Secure Socket Layer (SSL) protocol.

cache

Clears expired sessions in the SSL session cache.

all

(Optional) Clears all sessions and statistics in the SSL session cache.

errors

Clears SSL errors.

mib

Clears SSL MIB statistics.

objects

Clears SSL object statistics.

all

(Optional) Clears all dhcpd bindings.

binding

Clears all the client address bindings.

ip_address

(Optional) Clears the binding for the specified IP address.

statistics

Clears statistical information counters.

host fqdn_name

(Optional) Specifies the fully qualified domain name whose IP addresses you want to clear. If you do not specify a host, all DNS resolutions are cleared.

ipcache [ counters]

Clear all the entries from the IP cache obtained through DNS snooping, which is used in direct internet access policy-based routing.

Specify counters to simply reset all the hit counts for entries in the cache without deleting them.

IPv4_address

Clears the throttled elephant flow for the specified IPv4 address (5-tuple).

IPv6_address/prefix

Clears the throttled elephant flow for the specified IPv6 address.

all

Clears throttle and inspects all elephant flows.

bypass

(Optional) Clears throttle and bypasses Snort inspection for all elephant flows.

any

• Use as an abbreviation for source address and mask of 0.0.0.0 0.0.0.0 and ::/0

• Use for any source port or destination port.

source_port

Clears throttle for connections with the specified source port.

destination_port

Clears throttle for connections with the specified destination port.

tcp

Clears throttle for TCP connections only.

udp

Clears throttle for UDP connections only.

as_number

(Optional) Specifies the autonomous system number of the EIGRP process for which you are clearing the event log. Because the device only supports one EIGRP routing process, you do not need to specify the autonomous system number (process ID).

as_number

(Optional) Specifies the autonomous system number of the EIGRP process for which you are deleting neighbor entries. Because the device only supports one EIGRP routing process, you do not need to specify the autonomous system number (AS), which is the process ID.

if_name

(Optional) The name of an interface. Specifying an interface name removes all neighbor table entries that were learned through this interface.

ip_addr

(Optional) The IP address of the neighbor you want to remove from the neighbor table.

soft

Causes the device to resynchronize with the neighbor without resetting the adjacency.

as_number

(Optional) Specifies the autonomous system number of the EIGRP process. Because the device only supports one EIGRP routing process, you do not need to specify the autonomous system number (AS), which is the process ID.

ip_addr

The IP address to clear from the topology table.

mask

(Optional) The network mask to apply to the ip-addr argument.