Screen OS

ISG1000 handles packets through ASIC

This  means that the deubg will captures only the first packet & it will not capture the rest of the flow ?

regrading the snoop  is it the same case as above ?

is there any exceptions foir that ( ICMP, ...... ) ?

if i used the command    no-hw-sess at the policy level , will it cause the snoop & debug to capture all packets ?

what about IPSec VPN traffic , does the above  applies to it ( i mean no-hw-sess ) ?

This KB article has a good overview of debug vs. snoop.

Snoop is more of a "packet capture" while debug is a "follow the packet and see how it moves through the system."

This other KB article describes exactly what you brought up -- first packet hits the CPU and after the session is created the traffic is forwarded in hardware (ASIC).  no-hw-sess says "don't use hardware sessions, run everything through the CPU" so that your debug/snoop will show every packet as they pass.  Keep in mind that's going to send all the traffic that matches the policy you're testing to the CPU, so only use that option for testing and then take it off, otherwise you could start putting a hurt on your CPU.

Thanks

if i used the command "no-hw-sess" with policy based VPN , will i be able  to snoop & debug VPN  traffic ?

I've done debugs and snoops on VPN traffic without needing no-hw-sess before, becuase usually knowing if the first packets are taking the proper paths is enough to diagnose situations we've run into.  If you need to see all the packets for every flow, I would imagine that using no-hw-sess would allow you to see more in-depth analysis.

Thanks

As far I know / can remember , the no-hw-session for ISG 1000 / 2000 is  only supported in ScreenOS > 6.3
should be documented in the Release Note for 6.3, if I`m not wrong

Take care of Snoop 

Regards