topic unknown traffic pcaps just stopped happening one day around 2 weeks ago in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-traffic-pcaps-just-stopped-happening-one-day-around-2/m-p/517972#M486 <P>I have a PA-460 that stopped doing pcaps for unknown traffic about two weeks ago.&nbsp; I played around with the application dump setting and I think I may have broken something:</P> <P>&nbsp;</P> <P>Application setting:<BR />Application cache : yes<BR />Supernode : yes<BR />Heuristics : yes<BR />Cache Threshold : 16<BR />Bypass when exceeds queue limit: no<BR />Traceroute appid : yes<BR />Traceroute TTL threshold : 30<BR />Use cache for appid : no<BR />Use simple appsigs for ident : yes<BR />Use AppID cache on SSL/SNI : no<BR />Unknown capture : on<BR />Max. unknown sessions : 5000<BR />Current unknown sessions : 0<BR />Application capture : off</P> <P>Current APPID Signature <BR />Memory Usage : 4736 KB (Actual 4398 KB)<BR />TCP 1 C2S : lscan db size 944448<BR />TCP 1 S2C : lscan db size 727736<BR />UDP 1 C2S : lscan db size 1086504<BR />UDP 1 S2C : lscan db size 332968</P> <P>Alternate APPID Signature <BR />Memory Usage : 4736 KB (Actual 4396 KB)<BR />TCP 1 C2S : lscan db size 944128<BR />TCP 1 S2C : lscan db size 727736<BR />UDP 1 C2S : lscan db size 1086056<BR />UDP 1 S2C : lscan db size 332968</P> <P>&nbsp;</P> <P>However, if I do view-pcap application-pcap, the last date for an unknown application is around 2 weeks ago.&nbsp; I may have set an application dump rule at that time; I can't remember for sure.&nbsp; To verify, I started a netcat session in order to generate an unknown-tcp session, and checked the "current unknown sessions" counter.&nbsp; It was still 0 while the netcat session was up, even though the unknown-tcp session was visible in the session browser.&nbsp; I do realize that the firewall only samples unknowns and doesn't capture every session, but it doesn't seem to be capturing any.&nbsp; Is there something I can do to get unknown-tcp pcaps working again?</P> Fri, 14 Oct 2022 16:05:50 GMT DanielWaites 2022-10-14T16:05:50Z unknown traffic pcaps just stopped happening one day around 2 weeks ago https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-traffic-pcaps-just-stopped-happening-one-day-around-2/m-p/517972#M486 <P>I have a PA-460 that stopped doing pcaps for unknown traffic about two weeks ago.&nbsp; I played around with the application dump setting and I think I may have broken something:</P> <P>&nbsp;</P> <P>Application setting:<BR />Application cache : yes<BR />Supernode : yes<BR />Heuristics : yes<BR />Cache Threshold : 16<BR />Bypass when exceeds queue limit: no<BR />Traceroute appid : yes<BR />Traceroute TTL threshold : 30<BR />Use cache for appid : no<BR />Use simple appsigs for ident : yes<BR />Use AppID cache on SSL/SNI : no<BR />Unknown capture : on<BR />Max. unknown sessions : 5000<BR />Current unknown sessions : 0<BR />Application capture : off</P> <P>Current APPID Signature <BR />Memory Usage : 4736 KB (Actual 4398 KB)<BR />TCP 1 C2S : lscan db size 944448<BR />TCP 1 S2C : lscan db size 727736<BR />UDP 1 C2S : lscan db size 1086504<BR />UDP 1 S2C : lscan db size 332968</P> <P>Alternate APPID Signature <BR />Memory Usage : 4736 KB (Actual 4396 KB)<BR />TCP 1 C2S : lscan db size 944128<BR />TCP 1 S2C : lscan db size 727736<BR />UDP 1 C2S : lscan db size 1086056<BR />UDP 1 S2C : lscan db size 332968</P> <P>&nbsp;</P> <P>However, if I do view-pcap application-pcap, the last date for an unknown application is around 2 weeks ago.&nbsp; I may have set an application dump rule at that time; I can't remember for sure.&nbsp; To verify, I started a netcat session in order to generate an unknown-tcp session, and checked the "current unknown sessions" counter.&nbsp; It was still 0 while the netcat session was up, even though the unknown-tcp session was visible in the session browser.&nbsp; I do realize that the firewall only samples unknowns and doesn't capture every session, but it doesn't seem to be capturing any.&nbsp; Is there something I can do to get unknown-tcp pcaps working again?</P> Fri, 14 Oct 2022 16:05:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-traffic-pcaps-just-stopped-happening-one-day-around-2/m-p/517972#M486 DanielWaites 2022-10-14T16:05:50Z Re: unknown traffic pcaps just stopped happening one day around 2 weeks ago https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-traffic-pcaps-just-stopped-happening-one-day-around-2/m-p/517973#M487 <P>For reference, this is 10.1.6-h6 on PA-460</P> Fri, 14 Oct 2022 16:07:01 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-traffic-pcaps-just-stopped-happening-one-day-around-2/m-p/517973#M487 DanielWaites 2022-10-14T16:07:01Z