Using packet-tracer it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected.
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
The packet-tracer command lets you do the following:
-Debug all packet drops in production network.
-Verify the configuration is working as intended.
-Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
-Show a time line of packet changes in a data path.
-Inject tracer packets into the data path.
The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, “packet dropped due to bad ip header (reason).”
To enable packet tracing from inside host 10.2.25.3 to external host 18.104.22.168 with detailed information, enter the following:
hostname# packet-tracer input inside tcp 10.2.25.3 www 22.214.171.124 aol detailed