topic Byte swapping needed on packet captures taken from tunnel interfaces in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/byte-swapping-needed-on-packet-captures-taken-from-tunnel/m-p/1086729#M5415 <P>I noticed something odd with packet captures taken involving traffic originating from a tunnel interface (used for GP VPN clients) where the Ethernet Type header was byte swapped. Meaning instead of 0x0800 it was 0x0008.</P> <P>The screen snips illustrate the raw exported packets from a NGFW running 11.1.4-h1. Wireshark 4.4.3 with no packet dissector/decode rules.</P> <P>&nbsp;</P> <P>But using Hxd to byte swap the length field then allows Wireshark to make full sense of the packet. Seems to me that PANOS is writing out that field as little-endian rather than the network-byte order of big endian.</P> <P>&nbsp;</P> <P>Why does this happen? Not sure if I need to raise a support ticket or a defect/enhancement request ticket for this. Happens reproducibly across multiple packet captures.</P> Fri, 17 Jan 2025 02:02:28 GMT Luke_Godwin 2025-01-17T02:02:28Z Byte swapping needed on packet captures taken from tunnel interfaces https://live.paloaltonetworks.com/t5/next-generation-firewall/byte-swapping-needed-on-packet-captures-taken-from-tunnel/m-p/1086729#M5415 <P>I noticed something odd with packet captures taken involving traffic originating from a tunnel interface (used for GP VPN clients) where the Ethernet Type header was byte swapped. Meaning instead of 0x0800 it was 0x0008.</P> <P>The screen snips illustrate the raw exported packets from a NGFW running 11.1.4-h1. Wireshark 4.4.3 with no packet dissector/decode rules.</P> <P>&nbsp;</P> <P>But using Hxd to byte swap the length field then allows Wireshark to make full sense of the packet. Seems to me that PANOS is writing out that field as little-endian rather than the network-byte order of big endian.</P> <P>&nbsp;</P> <P>Why does this happen? Not sure if I need to raise a support ticket or a defect/enhancement request ticket for this. Happens reproducibly across multiple packet captures.</P> Fri, 17 Jan 2025 02:02:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/byte-swapping-needed-on-packet-captures-taken-from-tunnel/m-p/1086729#M5415 Luke_Godwin 2025-01-17T02:02:28Z