Sensor ports are in SPAN/TAP mode.
I think I have Packet Capture set up correctly, but when I download the PCAP file, I only see one side of the TCP connection - the one with 10.9.5.10 as the source IP. I don't see the return traffic, or inbound traffic where 10.9.5.10 is the destination IP.
So my (abbreviated) PCAP looks something like:
1 10.9.5.10->18.104.22.168 [SYN]
2 10.9.5.10->22.214.171.124 [ACK]
I never see the 126.96.36.199's [SYN,ACK] or any return traffic.
I this something to do with being in SPAN/TAP on the sensor and direction is indeterminate? I really need to get both sides to do trouibleshooting.
Here's an example of the defined rule.
|Monitoring Port||Traffic||Protocol||IP Version||Fragments Only?||Source IP||Source Mask||Source Port||Destination IP||Destination Mask||Destination Port||Vlan ID||Protocol Number|
Just to be sure about it, don´t you have an asymetric routing scenario? Are you sure that returning traffic is passing through the IPS Appliance?