Showing results for 
Search instead for 
Did you mean: 

GUI TCPDUMP Parameters

Various times, I'm asked by Mcafee Tech Support to create a tcpdump of the problem.  Anyone know of any ways to capture only specific traffic from a user or URL site ?  I can’t locate any articles on the parameters for this- if there is one can someone send link please.


1 Reply

Re: GUI TCPDUMP Parameters

Hi Carlos,

if you create tcpdumps for us from the GUI, please always specify at least "-i any -s 0" as the parameters. Behind those parameters you can apply any kind of tcpdump compatible filters. A list can be found for example on

Basically an "open" dump helps us most, because we can be sure that the data is actually in the trace and we can filter out everything that is not interesting. Otherwise a wrong filter can lead to a situation where the necessary information is (partly) not in the capture, and the engineer spends a lot of time analysing useless data.

To filter the communication for a single client, the simple filter


can be enought. As an alternative you can filter out all communication going to the web Gateway port, by, for example

port 9090

or you filter all ports except one that you want to exclude (such as Web GUI port for example) by running

not port 4711

The thing is that when you filter our the Client IP only you will have the Client <-> MWG traffic in the dump, but not the MWG<->Internet traffic, which is a problem because many issues are caused by the data we get from the Internet. To filter that traffic you would need the public IP of the Web Server, such as

host or host

Which would then include the communication from Client to MWG and from MWG to server. Unfortunately many servers use various IP addresses and sometimes it is hard to get the IP, which makes the filter useless for Support. Additionally that filter would not include DNS for example, or communication to the Domain Controllers, which may be necessary for troubleshooting.

Actually if you know what data is exactly required you can build a filter with the PDF linked. If the root cause is unknown it would be beneficial to send a "wide open" tcpdump to support, not dropping any packets. In case there is data you do not want to share, maybe it makes sense to have a Non-Disclosure Agreement between McAfee and yourselves, or get a Test-Device (may be a VM) where you can replicate the issue, without confidential data going through.



More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community