TCPDUMP

I wanted to understand what these CR guys are using in the CLI when using TCPDUMP. These guys check the packets and let us know the result. Here are some of the scenarios and commands which I use for my analysis.

1>To check the traffic coming from a particular source IP:

tcpdump "host <ipaddress>"    like  tcpdump "host 192.168.1.1"

2> If you are only checking the ping traffic

tcpdump "host 192.168.1.1 and proto ICMP"

3> if you are searching for traffic coming from a particular host and particular port

tcpdump "host 192.168.1.1 and port 80"

4> you can get more creative, like you are already connected to CR GUI on port 80 from IP 192.168.1.1 and you do not want port 80 traffic in you dump.

tcpdump "host 192.168.1.1 and port !80"

5> If you want to have the whole packet in the dump

tcpdump "host 192.168.1.1 -s 4096"

6> in case of virtual host:
            a> you should always check the tcpdump on the source (source for me here is, I am right in my office and my customer complained about virtual host not working. So when I am going to hit his public IP on port 80 from my browser, I should see traffic with source IP as my public IP and the destination as the customer public IP)

tcpdump "host 81.32.45.67 and port 80"

Also note that when you are doing it, try taking the access of the Cyberoam on https and port 22(ssh)

7> you can also use || (2 pipe) for or statement

tcpdump "host 192.168.1.1 || host 192.168.1.2 || port 80"

8> You can use the same statements in the GUI as well to check if the packets are being dropped:
 System-> diagnostices-->packet capture
use the filter within the double quotes and it should be filtering the traffic.