https://live.paloaltonetworks.com/t5/general-topics/palo-alto-packet-capture-vs-monitor-vs-session-browser/m-p/471571#M103123 <P>Hi for a beginner why what does the packet capture enable me to do that the Monitor and Session Browser do not ? If possible please could someone give me a scenario for packet capture that identifies a problem which the other two would not pick up - is it the way traffic conversations are shown ? With the capture obviously you would be able to see a lot more detail about what is inside each packets.&nbsp;</P><P>&nbsp;</P><P>With respect to the Monitor I understand that shows traffic associated with closed or unsuccessful sessions whereas session browser is for existing sessions. Any tips would be appreciated.</P> Wed, 09 Mar 2022 10:55:14 GMT pink-panther 2022-03-09T10:55:14Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-packet-capture-vs-monitor-vs-session-browser/m-p/471571#M103123 <P>Hi for a beginner why what does the packet capture enable me to do that the Monitor and Session Browser do not ? If possible please could someone give me a scenario for packet capture that identifies a problem which the other two would not pick up - is it the way traffic conversations are shown ? With the capture obviously you would be able to see a lot more detail about what is inside each packets.&nbsp;</P><P>&nbsp;</P><P>With respect to the Monitor I understand that shows traffic associated with closed or unsuccessful sessions whereas session browser is for existing sessions. Any tips would be appreciated.</P> Wed, 09 Mar 2022 10:55:14 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-packet-capture-vs-monitor-vs-session-browser/m-p/471571#M103123 pink-panther 2022-03-09T10:55:14Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-packet-capture-vs-monitor-vs-session-browser/m-p/471636#M103125 <P>Monitor is the overall logging and inspection tab. Monitor --&gt; Traffic specifically shows you completed traffic sessions with (depending on what you have selected in the Security rules options) the session start and stop times, as well as all the related session attributes (source/destination, region, classification, etc.), and final disposition of the session (end reason, filtering status, etc.). There may be multiple matching entries, as well as packet captures, under a Traffic log as the session progressed to completion.</P><P>&nbsp;</P><P>Monitor --&gt; Session Browser, on the other hand, shows you current sessions across the PaloAlto. These are live connections between endpoints that may be further filtered as characteristics of the connection change (i.e. the session might be live and allowed at the moment under one rule, but later could be identified as a different form of traffic and blocked under a different rule). It shows you the live TCP/UDP/etc. at the moment.</P><P>&nbsp;</P><P>The Monitor --&gt; Packet Capture allows you to do a live packet capture on the PaloAlto, capturing the actual network packets between endpoints. This is a Wireshark/tcpdump style capture that shows you the raw traffic, not how the PaloAlto categorized/filtered that traffic. Generally you use this when you need to investigate actual packet contents and debug why a particular rule may/may not be acting of traffic as expected.</P><P>&nbsp;</P><P>As an example of packet capture, I was having a problem with the PA blocking traffic as being "STUN" packets, when STUN packets were allowed. The Traffic logs showed these identified as STUN, but on a non-standard port number and hence blocked. Using Packet Capture I was able to grab a sample and confirm these were in fact SIP packets that the PaloAlto was mis-identifying as STUN packets</P> Wed, 09 Mar 2022 16:05:47 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-packet-capture-vs-monitor-vs-session-browser/m-p/471636#M103125 Adrian_Jensen 2022-03-09T16:05:47Z