Showing results for 
Search instead for 
Did you mean: 


packet capture


Firepower 8000 series sensor deployed inline mode and i want capture spesific ip address from sensor, i got answer from support they say it is not possible.

for example ip address:

src: dst any and connection logging enabled.

traffic match the ip adress and sensor bypass this ip address on hardware level. it is ok

my question is how can i see connection information or packet capture about this ip address?

version is 5.4.x


Cisco Employee

Hello Zafer,

how are you doing? I will try to answer your question, but not sure if I understand all details that are required from your side, so feel free to ask additional questions.

In case that you want to capture on sensor's CLI only traffic that matches specific IP address, you can apply following filter to the capturing tool:

> system support capture-traffic

Please choose domain to capture traffic from:

  0 - eth0

  1 - in  (Interfaces s1p1, s1p2)

Selection? 1

NOTE: These changes will be lost the next time detection is reconfigured!

Please specify tcpdump options desired.

(or enter '?' for a list of supported options)

Options: src host

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on nfe0.1.22:nfe1.1.22:nfe2.1.22:nfe3.1.22, link-type EN10MB (Ethernet), capture size 96 bytes

18:02:00.868597 IP > ICMP echo request, id 62476, seq 101, length 64

18:02:01.869797 IP > ICMP echo request, id 62476, seq 102, length 64


--note this filter will match only against the traffic that is initiated from the source IP address, if you don't care where the host IP address is seen SRC or DST packet header field, then you can simply use filter "host" and that would match traffic bi-directionally.

You can also write the matching filter output to the packet capture (.pcap) file. Here are some good examples of the packet capturing tool on Firepower devices:

But basically you can do much more, just look through the tcpdump BPF syntax and you can apply the same to the system support capture-traffic as on the background the tcpdump would be running.

If you want to see connection information, you can login to the FireSIGHT Management Center and review Analysis -> Connection Events table where you can edit search and filter logs by Initiator IP address.

If I misunderstood your question anyhow please provide more details.

Best regards,

Veronika Klauzova


Hi Veronika,

my problem is the trust rule.

support said it is not possible logging connection or  take packet capture trusted traffic.


Content for Community-Ad