https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14727#M10812 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/29784">rvandegrift</A></P><P></P><P>Where are you seeing these captures ? I think these might be getting captured due to one of the security profiles like for some of the threat pcap/extended pcap takes place.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 16 Dec 2014 22:04:03 GMT bat 2014-12-16T22:04:03Z https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14726#M10811 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I've noticed a boatload of application-pcaps - between 5-15k, on days where they are captured.&nbsp; There are captures from most days, but not every day.</P><P></P><P>As far as I know, I don't have any traffic captures enabled.&nbsp; All of the following show that captures are disabled:</P><P>1. debug dataplane packet-diag show setting (capture and logs disabled on all dataplanes)</P><P>2. show running application setting (unknown capture and application capture are disabled)</P><P>3. debug ike pcap show (no ipsec config anyhow)</P><P></P><P>What else could be triggering these captures?&nbsp; Maybe they are used as a part of some firewall feature?</P><P></P><P>This is on PA-5060 running 6.0.5.</P><P></P><P>Ross</P></BODY></HTML> Tue, 16 Dec 2014 22:01:43 GMT https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14726#M10811 rvandegrift 2014-12-16T22:01:43Z https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14727#M10812 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/29784">rvandegrift</A></P><P></P><P>Where are you seeing these captures ? I think these might be getting captured due to one of the security profiles like for some of the threat pcap/extended pcap takes place.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 16 Dec 2014 22:04:03 GMT https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14727#M10812 bat 2014-12-16T22:04:03Z https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14728#M10813 <HTML><HEAD></HEAD><BODY><P>That's it - it looks like we have an AV profile that has a capture set for some hits.&nbsp; Thanks!</P><P></P><P>Ross</P></BODY></HTML> Tue, 16 Dec 2014 22:12:05 GMT https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14728#M10813 rvandegrift 2014-12-16T22:12:05Z https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14729#M10814 <HTML><HEAD></HEAD><BODY><P>Hello Ross,</P><P></P><P>You may check the configured AV profile, in casepcapenabled on it. </P><P></P><P>Example:</P><P> <IMG alt="AV-profile.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/17342_AV-profile.JPG" style="height: 420px; width: 620px;" /></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 17 Dec 2014 06:18:57 GMT https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14729#M10814 HULK 2014-12-17T06:18:57Z https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14730#M10815 <HTML><HEAD></HEAD><BODY><P>I thought this was it, but nope - I disabled the AV profile packet capture yesterday, but there are thousands of new pcaps today:</P><P>admin@firewall(active-primary)&gt; view-pcap application-pcap 20141217/</P><P>Display all 16625 possibilities? (y or n) </P><P></P><P>I've exported the device config and the Panorama config to grep through.&nbsp; All capture options are disabled in both places.</P><P></P><P></P><P>Are there conditions under which a device might capture packets anyhow?</P><P></P><P>Ross</P></BODY></HTML> Wed, 17 Dec 2014 22:27:28 GMT https://live.paloaltonetworks.com/t5/general-topics/what-are-these-mysterious-pcaps/m-p/14730#M10815 rvandegrift 2014-12-17T22:27:28Z