Solved: FMC/FTD 7.6 Exempting Traffic from Packet Capture

benweber · ‎10-31-2025

Is there a way to exempt traffic from a packet capture on an FTD firewall running version 7.6? My situation is that I need to know what an ID sensor that sits inside the network (at 172.31.11.224) is sending traffic to. The problem is that the firewall, that sits at 172.31.11.254, sends debugging level syslogs to this same sensor, so I run into issues if I do this:

capture capin interface inside match ip host 172.31.11.224 any

When I do that my buffer immediately fills up with all of the syslog traffic and I can't capture what I'm looking for. On an ASA this was easy. I would just tie the capture to an acl as follows:

access-list cap deny ip any4 host 172.31.11.254
access-list cap deny ip host 172.31.11.254 any4
access-list cap permit ip host 172.31.11.224 any4
access-list cap permit ip any4 host 172.31.11.224

capture cap access-list cap interface inside

That would have shown me exactly what I need, the 172.31.11.224 without the syslogs from the firewall.

Is there a way to do the same on the FTDs? I've been told there is BPF syntax I can use, using the "and not" feature, but that doesn't show up in the context sensitive help and errors out when I try the suggested syntax.

This is one of those things I find myself doing constantly (easily once or twice in any given week) so it's going to be a real problem if they've taken this functionality away.

Thanks!

balaji.bandi · ‎11-01-2025

Not that I am aware, you can do on FTD/FMC

If you'd like, you can get into Shell and use TCPDUMP (a Linux command) if that works for you.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Aref Alsouqi · ‎11-04-2025

You can still filter the capture per IPs, ports, and protocols. Example:

capture capin interface inside match tcp host 172.31.11.224 any eq 443

or

capture capin interface inside match udp host 172.31.11.224 any eq 123

View solution in original post

balaji.bandi · ‎11-01-2025

Not that I am aware, you can do on FTD/FMC

If you'd like, you can get into Shell and use TCPDUMP (a Linux command) if that works for you.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

benweber · ‎11-07-2025

Thanks. I'll dig into that a little bit more. But as one of the other commenters mentioned I'm not sure that works for data plane traffic.

benweber · ‎11-17-2025

I got with Cisco today and it looks like you were on the right track. I had thought TCPDUMP would only capture management traffic but it turns out on the FTD there is a global option you can select that will capture dataplane traffic.

So like this:

> capture-traffic

Please choose domain to capture traffic from:
0 - management0
1 - Global

Selection? 1

Warning: Blanket capture may cause high CPU usage and reduced throughput, use selective filtering to reduce the impact.
Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options:

Then you can use the Berkely Packet Filter syntax like you would with TCPDUMP. And the -w <filename> option writes it to a file in /ngfw/var/common that you can pull down from the FMC and read with Wireshark.

See here:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

I liked the old way better but at least this will work.

benweber · ‎11-04-2025

Thanks BB,

Do you know what the TCPDUMP syntax would be for something like that? I'm in a situation now where NTP isn't working so I need to capture all NTP to and from a specific host. I can't just use the host IP because that host sends a ton of traffic other than NTP, so same problem. Would be a piece of cake with an access list.

Ben

Aref Alsouqi · ‎11-04-2025

You can still filter the capture per IPs, ports, and protocols. Example:

capture capin interface inside match tcp host 172.31.11.224 any eq 443

or

capture capin interface inside match udp host 172.31.11.224 any eq 123

Marvin Rhoads · ‎11-06-2025

@Aref Alsouqi's suggestion is the approach I would take.

The FMC GUI capture tool indeed has some limitations (advanced filtering as noted here and also it cannot specify asp-drops) but if you use the LINA cli ("system support diagnostic-cli: and then "en" without a password), you can use the same capture syntax that you had from the ASA days. If you want to save the capture offline, you can copy it to /ngfw/var/common and then download it from FMC for analysis in Wireshark or sharing with a colleague.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-management-center-virtual/220334-download-files-on-ftd-devices-from-the-f.html#toc-hId-2046118293

If you use expert mode with tcpdump, I don't believe you can capture on the dataplane interfaces, only the management interface.

benweber · ‎11-07-2025

Right. I've been doing it from the CLI but that's where I run into the problem of not being able to exempt traffic. It's the sort of thing that comes up a lot when trying to figure out what a node needs for egress filtering, for example. One of the ways I often to that is right the ACL for all traffic and capture it. Then when I see that my node is talking to node X on the outside on port 3389, for example, I exempt that in the ACL. Then I see it talking to node Y for NTP, so I exempt that, and so on, until I'm not capturing anything. Then that ACL I've created for capturing is basically a list of what I need to open outbound and I can block everything else. I do that sort of thing all the time so it's annoying there's no way to reference an ACL for captures now. I have a case open with Cisco but they're ghosting me.

Thanks for the reply though.

benweber · ‎11-07-2025

Yeah, thanks. That helps some. Glad to know that's still there at least.