topic Re: Packet Captures issues in General Topics

Packet Captures issues

d.spider — Thu, 30 Dec 2021 07:22:30 GMT

Hello Friends

I am trying to take packet captures on my firewall. But in captures I do not see all the packets. What may be the issue? Am I missing anything?

Re: Packet Captures issues

PavelK — Thu, 30 Dec 2021 08:00:44 GMT

Thank you for post @d.spider

the first thing I would suspect is session offloading:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldYCAS

Kind Regards

Pavel

Re: Packet Captures issues

d.spider — Thu, 30 Dec 2021 11:20:57 GMT

Hi @PavelK ,

Thanks for your response.

Is that applicable to all firewall models? I see specific platforms in the article and mine is not listed there (PA 800 series).

Re: Packet Captures issues

SutareMayur — Thu, 30 Dec 2021 12:54:56 GMT

Hi @d.spider ,

As you said you are not seeing all the packets in the capture, can you confirm what type of filter you have kept for the capture?

Re: Packet Captures issues

d.spider — Fri, 31 Dec 2021 04:54:19 GMT

That’s a great point Sutare. Let me verify it as it was not set by me.

Re: Packet Captures issues

PavelK — Sun, 02 Jan 2022 02:30:27 GMT

Thank you for reply @d.spider

I went through all documentation and it always states that session offloading is supported from PA-30XX/32XX series and higher, however I was looking into one of my PA-850 and I can see: "ctd decoder bypass" for some sessions:

Even though it is not mentioned in documentation session offloading for PA-800 series seems supported.

If you determined that session offloading is not an issue in your scenario, then as Sutare mentioned maybe an issue is related to filters.

Another thing that comes to my mind is, only new sessions will be recorded after packet capture is enabled, so you will not be able to capture traffic for sessions that are already established. Also, make sure to configure all stages to be sure you do not miss anything:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

Kind Regards

Pavel

Re: Packet Captures issues

d.spider — Mon, 03 Jan 2022 07:09:19 GMT

Hi @PavelK ,

Thanks for the explanation. The issue is resolved now. It was due to wrong filter. When I put filter from S2D and D2S, I can see all the packets captured in the pcap file. My mistake! I didn’t checked filter settings earlier.

Thank you @SutareMayur for pointing out it.

Re: Packet Captures issues

aleksandar.astardzhiev — Wed, 05 Jan 2022 07:59:42 GMT

Hi @d.spider ,

You don't actually need to put filter for return traffic in order to capture it. I am guessing that @PavelK was right and you don't capture on all stages. I would suggest you to take more detailed look on link that @PavelK share.

Filters in packet capture are not working, the same way you imagine. Filter is not filtering packets, it is actually used to "tag" sessions. Based on the source and destination, firewall will search its connection table and tag any session that match the filter. Packets that belongs to tagged session will be captured. Or as the previous link explain it - "filters are session aware".

So if you don't see return traffic when you use only source-to-destination filter, you definately not capturing on all stages - if I may guess not capturing transmit.

By the way, this is also very good link that, could explain why there is too much noise in your captures (even if your filter is very strict) - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgDCAS

Re: Packet Captures issues

d.spider — Thu, 06 Jan 2022 01:07:13 GMT

Hi @aleksandar.astardzhiev ,

The filter had all the required stages. Nothing was missing there. The filter had incorrect values. When filter point was highlighted, I referred below article while correcting the filter to make sure I am not missing anything. Here, it talks about the backup filters so I kept it.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0