You probably already have a policy for public access to this server so just turn on the logging option for that policy.  The logs will then appear on the policy screen or under reports.

If you need to save them for review, you will need to setup a syslog server then configure that log to ship to the syslog server.

If you want to capture live traffic then debug flow is the cli tool.

Set a filter for you mail server:

set ffilter scr-ip x.x.x.x

Clear previous data
clear db

start the capture
debug flow basic

Read data to screen
get db str

Clean up
unset ffilter
clear db

Thanks for the reply.

            I have captured the traffic log file but when I want to analyize the log file from Wireshark then there comes an error saying that the Wireshark didnt understand the file format...

 What may be the reason?

                       Thank you.

Hi,

Wireshark will be able (probably) to intertpret the "debug flow all"-output but not the one from "debug flow basic".

I would recommend to use this:

"Use the mirror commands to mirror all traffic for at least one source interface to a
destination interface. This command is useful for debugging and monitoring network
traffic. For example, you can connect a sniffer to a destination interface to monitor
traffic passing through multiple source interfaces." (ScreenOS Reference Guide:IPv4 Command Descriptions)

Kind regards,

Edouard

Thanks for the reply.

        But the mirror command is unknown in my SSG140.

Hi Issn ,

You can use the below to capture traffic on your firewall

undebug all  

clear db

set console dbuf
snoop detail   ~~~~~~~~~only available for  root  (netscreen by default)
snoop detail len  1514

snoop filter ip src-ip X.X.X.X  dst-ip Y.Y.Y.Y
snoop    ~~~~~then initiate the traffic & wait few seconds

Stop the capture with <ESC>  to stop the snoop

display the output with the command "get dbuf stream".

You can save the output directly to a tftp-server with the command

"get dbuf stream > tftp <host> <filename>"

You can read that file using WireShark

 But if your target is only to see the traffic flow :

undebug all

clear debug

set ff src-ip X.X.X.X dst-ip Y.Y.Y.Y

Debug flow basic  , then initiate the traffic & wait few seconds

press ESc ~~~~~to stop the debug  

get db st   to see the debug output