Cisco
Login
Search
Software Secure Firewall Threat Defense
Platform Secure Firewall Threat Defense Virtual
Activity Onboard

Health and Monitoring Troubleshooting Advanced Troubleshooting for the Secure Firewall Threat Defense Device Packet Tracer Overview Use the Packet Tracer

Last updated: Jul 29, 2025

Use the Packet Tracer

To use a packet tracer on Secure Firewall Threat Defense devices, you must be an Admin or Maintenance user.

Procedure

1

On the Firewall Management Center, choose Devices > Troubleshoot > Packet Tracer.
2

From the Select Device drop-down, choose the device on which you want to run the trace.
3

Choose Use Protocol to do the configuration manually, or Upload or Edit a PCAP file to upload a packet capture (PCAP) file.
4

If you choose to upload a PCAP file, do the following:

  1. Click the Upload or Edit a PCAP file drop-down and choose Upload a PCAP file option. If you want to use a recently uploaded file, click the file from the list.


     

    • Only .pcap and .pcapng file formats are supported.

    • The file can contain up to 100 packets from the same Ethernet connection, or from the same single VLAN encapsulated TCP or UDP connection.

    • Multi-flow PCAP files are not supported. Upload only single flow PCAP file.

  2. If you choose to upload a PCAP file, drag and drop the PCAP file into the Upload PCAP dialog box or click to browse to locate the PCAP file. After you select the file, the upload process starts automatically.


     

    • After you upload the configuration, the Protocol, Source Type, and Destination Type fields are dimmed, and it cannot be edited.

    • To make changes to these fields, you must upload a new PCAP file.

    • You can edit the source and destination IP addresses, source and destination ports, VLAN ID, destination MAC address (for a firewall in transparent mode), and the PCAP file name.

  3. Go to Step 7.
5

If you choose to do a manual configuration, do the following:

  1. From the Ingress Interface drop-down, choose the ingress interface for the packet trace.


     

    Do not select VTI. VTI as ingress interface is not supported for packet tracer.

  2. To define the trace parameters, from the Protocol drop-down menu, select the packet type for the trace, and specify the protocol characteristics:

    • ICMP—Enter the ICMP type, ICMP code (0-255), and optionally, the ICMP identifier.

    • TCP/UDP/SCTP—Enter the source and destination port numbers.

    • GRE/IPIP—Enter the protocol number, 0-255.

    • ESP—Enter the Security Parameter Index (SPI) value for Source, 0-4294967295.

    • RAWIP—Enter the port number, 0-255.

  3. Select the Source Type for the packet trace, and enter the source IP address.

    Source and destination types include IPv4, IPv6, and fully-qualified domain names (FQDN). You can specify IPv4 or IPv6 addresses and FQDN, if you use Cisco TrustSec.

  4. Select the Source Port for the packet trace.

  5. Select the Destination Type for the packet trace, and enter the destination IP address.

    Destination type options vary depending on the source type that you select.

  6. Select the Destination Port for the packet trace.

  7. If you want packet tracer to enter a parent interface, which is later redirected to a sub-interface, enter a VLAN ID.

    This value is optional for non-sub-interfaces only, since all the interface types can be configured on a sub-interface.

  8. Specify a Destination MAC Address for the packet trace.

    If the Secure Firewall Threat Defense device is running in transparent firewall mode, and the ingress interface is VTEP, Destination MAC Address is required if you enter a value in VLAN ID. Whereas if the interface is a bridge group member, Destination MAC Address is optional if you enter a VLAN ID value, but required if you do not enter a VLAN ID value.

    If the Secure Firewall Threat Defense is running in routed firewall mode, VLAN ID and Destination MAC Address are optional if the input interface is a bridge group member.

  9. (Optional) If you want the packet-tracer to ignore the security checks on the simulated packet, click Bypass all security checks for simulated packet. This enables packet-tracer to continue with tracing of packet through the system which, otherwise would have been dropped.

  10. (Optional) To allow the packet to be sent out through the egress interface from the device, click Allow simulated packet to transmit from device.

  11. (Optional) If you want the packet-tracer to consider the injected packet as an IPsec/SSL VPN decrypted packet, click Treat simulated packet as IPsec/SSL VPN decrypt.
6

To use a PCAP replay in the packet-tracer, do the following:

  1. Click Select a PCAP File.

  2. To upload a new PCAP file, click Upload a PCAP file. To reuse a recently uploaded file, click the file from the list.


     

    Only .pcap and .pcapng file formats are supported. The PCAP file can contain only a single TCP/UDP based flow with a maximum of 100 packets. The maximum character limit on the PCAP file name (including the file formats) is 64.

  3. In the Upload PCAP box, you can either drag a PCAP file or click in the box to browse and upload the file. On selecting the file, the upload process starts automatically.
7

Click Trace.
8

(Optional) If you want to modify any values, ensure you click Save PCAP and save the values before proceeding with the trace.
9

(Optional) If you do not save the modified values of the PCAP file and click Trace, the Unsaved PCAP changes dialog box is displayed, which prompts you to save the file.

  1. Check the Save PCAP file check box.

  2. Enter a name for the PCAP file in the Name field.

  3. Click Save and Trace to save the changes and proceed with packet trace.


 

The PCAP file name changes to the name entered in the Name field.
10

You can track the status of trace on Events & Logs > Analysis > Audit Logs window. The following operations can be tracked:

  • Save a PCAP file

  • Upload a PCAP file

  • Details of the packet trace

The Trace Result displays the results for each phase that the PCAP packets has traveled through the system. Click on the individual packet to view the traces results for the packet. You can do the following:

  • Copy (Copycopy icon) the trace results to clipboard.

  • Expand or collapse (Expand or collapseexpand or collapse icon) the displayed results.

  • Maximize (Maximizemaximize icon) the trace result screen.

The time elapsed information that is useful to gauge the processing efforts are displayed for each phase. The total time that is taken for the entire flow of packets flowing from an ingress to an egress interface is also displayed in the results section.

The Trace History pane displays the stored trace details for each PCAP trace. It can store up to 100 packet traces. You can select a saved trace and run the packet trace activity again. You can do the following:

  • Search for a trace using any of the trace parameters.

  • Disable saving of the trace to history using the Sliderslider enabled icon button.

  • Delete specific trace results.

  • Clear all the traces.

Previous topic Packet Tracer Overview Next topic CPU Profiler Overview