https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17294#M12629 <HTML><HEAD></HEAD><BODY><P>Thanks Kelly, but we're on 3.0.9 so I'm going to have to modify this for the previous verion.</P><P></P><P>I found this:</P><P></P><P><A class="jive-link-wiki-small" href="https://live.paloaltonetworks.com/docs/DOC-1045">https://live.paloaltonetworks.com/docs/DOC-1045#comment-1110</A></P><P></P><P>But when I do:</P><P></P><P>scp export debug-pcap from ?</P><P></P><P>it does not list the file name I specified here:</P><P></P><P>debug dataplane filter set destination &lt;dest-IP&gt; file &lt;name.pcap&gt; packet-count 200000</P><P></P><P>When I do a:</P><P></P><P>debug dataplane get</P><P></P><P>I can see my filter and file:</P><P></P><P>10.1.2.123:0 -&gt; 0.0.0.0:0, 0 0 2000000 mypcap.pcap</P><P></P><P>Can you see what I've done wrong?</P></BODY></HTML> Tue, 15 Jun 2010 19:23:58 GMT grant_sturgis 2010-06-15T19:23:58Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17292#M12627 <HTML><HEAD></HEAD><BODY><P>Hey folks,</P><P></P><P>I'd like capture a particular traffic stream for analysis.&nbsp; I see how you can capure a packet trace as part of a Vulnerability Protection profile, but this particular traffic is not seen as a vulnerability or threat (i.e. it's not showing up in the threat log).</P><P></P><P>Is there a way to create policy, defining the stream, and capturing a packet trace?</P><P></P><P>Thanks,</P><P></P><P>Grant</P><P>-----------------------</P></BODY></HTML> Tue, 15 Jun 2010 16:15:10 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17292#M12627 grant_sturgis 2010-06-15T16:15:10Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17293#M12628 <HTML><HEAD></HEAD><BODY><P>Hi Grant,</P><P></P><P><SPAN>This document will help you out if you are on PANOS 3.1: </SPAN><A class="jive-link-wiki-small" href="https://live.paloaltonetworks.com/docs/DOC-1506">https://live.paloaltonetworks.com/docs/DOC-1506</A></P><P></P><P>Here is an excerpt:</P><P></P><P><STRONG>Traditional PCAP</STRONG></P><P></P><P><STRONG>Set a filter to control what traffic is captured</STRONG></P><P><SPAN style="font-family: 'courier new', courier;">debug dataplane packet-diag set filter on</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">debug dataplane packet-diag set filter match &lt;criteria&gt;</SPAN></P><P></P><P><STRONG>Enable Packet Capture</STRONG></P><P><SPAN style="font-family: 'courier new', courier;">debug dataplane packet-diag set capture on</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">debug dataplane packet-diag set capture stage firewall file foo.pcap</SPAN></P><P></P><P><STRONG>View the Packet Capture</STRONG></P><P><SPAN style="font-family: 'courier new', courier;">view-pcap filter-pcap foo.pcap</SPAN></P><P></P><P><STRONG>Export the Packet Capture in PCAP format (SCP or TFTP)</STRONG></P><P><SPAN style="font-family: 'courier new', courier;">scp export filter-pcap from foo.pcap to username@host:path</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">tftp export filter-pcap from foo.pcap to &lt;tftp host&gt;</SPAN></P><P></P><P>These commands also exist in 3.0 and below but they are not under packet-diag.&nbsp; I believe they are directly under "debug dataplane"</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Tue, 15 Jun 2010 17:14:11 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17293#M12628 kbrazil 2010-06-15T17:14:11Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17294#M12629 <HTML><HEAD></HEAD><BODY><P>Thanks Kelly, but we're on 3.0.9 so I'm going to have to modify this for the previous verion.</P><P></P><P>I found this:</P><P></P><P><A class="jive-link-wiki-small" href="https://live.paloaltonetworks.com/docs/DOC-1045">https://live.paloaltonetworks.com/docs/DOC-1045#comment-1110</A></P><P></P><P>But when I do:</P><P></P><P>scp export debug-pcap from ?</P><P></P><P>it does not list the file name I specified here:</P><P></P><P>debug dataplane filter set destination &lt;dest-IP&gt; file &lt;name.pcap&gt; packet-count 200000</P><P></P><P>When I do a:</P><P></P><P>debug dataplane get</P><P></P><P>I can see my filter and file:</P><P></P><P>10.1.2.123:0 -&gt; 0.0.0.0:0, 0 0 2000000 mypcap.pcap</P><P></P><P>Can you see what I've done wrong?</P></BODY></HTML> Tue, 15 Jun 2010 19:23:58 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17294#M12629 grant_sturgis 2010-06-15T19:23:58Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17295#M12630 <HTML><HEAD></HEAD><BODY><P>I don't have a 3.0 box handy to test, but I believe the export command should not include "debug-pcap" but "filter".&nbsp; A debug-pcap is a special type of pcap for traffic terminating on the firewall (such as DHCP or routing protocol).&nbsp; The "filter" pcap is for the traditional packet capture you are performing.&nbsp; There are a couple of other types of pcaps including application and unknown-application.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Tue, 15 Jun 2010 19:33:33 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-question/m-p/17295#M12630 kbrazil 2010-06-15T19:33:33Z