VPN traffic capture

GuillaumeV — Mon, 18 Sep 2023 15:28:08 GMT

Hello,
I need to capture what passes through a VPN site-to-site tunnel. I'd like to see the tunnel and not the ESP.
With tcpdump you can use the command "tcpdump -i enc0" which decrypts the ESP.
On Palo Alto, what is the equivalent command? Because with view-pcap follow yes filter-pcap <filename> I can only see the ESP.
Thanks

Re: VPN traffic capture

aleksandar.astardzhiev — Mon, 18 Sep 2023 18:26:32 GMT

Hi @GuillaumeV ,

With view-pcap command you can review the captures that are done when debugging/troubleshooting VPN negotiation.

To capture traffic passing through the firewall you need to use the Packet capture feature - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

Above link goes into details how to define packet capture filter. If you filter based on the private IP address you will capture unencrypted. If you add filter for remote IPsec peer IP, you will capture the encrypted ESP traffic as well.

topic VPN traffic capture in General Topics

VPN traffic capture

Re: VPN traffic capture