topic tcpdump filters in General Topics

tcpdump filters

Dulle — Thu, 10 Mar 2016 10:24:52 GMT

Does anyone know what filters are supported for the tcpdump command on PAN-OS (7.0) ?
For troubelshooting of a Syslog (server) issue, due to large amounts of traffic, I need to capture only packets with syn- or fin/rst-flag set.
Something like this : # tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0

Documentation found 'How To Packet Capture (tcpdump) On Management Interface' are sparse, as the filter options very well might be.

Re: tcpdump filters

santonic — Thu, 10 Mar 2016 13:07:46 GMT

Don't know exactly what is allowed. But so far I managed to use only basic tcpdump filters through PAN-OS unfortunately.

Re: tcpdump filters

Lucky — Fri, 11 Mar 2016 07:40:43 GMT

Hi,

it supports just a limited set of options, I would not even try to do regex on it, I don't try to filter with more than host and port, usually something like what is described in it's help: tcpdump filters - e.g. "src net 67.207.148.0/24 and not port 22".

view-pcap verbose++ yes link-header yes mgmt-pcap mgmt.pcap is second option I use to quickly review directly on the device, omitting or adding more options but generally capturing doesn't go further than host / net / src / dest / port and few such keywords. I haven't experimented but on the other hand mgmt interface will not be really as busy as upstream, right? host and port usually do job for me.

To troubleshoot fast-sending syslog I would use snaplen of 1 bytes of data and filter by source ip and dest port (you care just about flags, right? you do not need the whole packet, and I would quit capturing quickly... "rinse and repeat" until you catch enough packets that give you good results?

Best regards

Luciano

Re: tcpdump filters

Dulle — Fri, 11 Mar 2016 10:39:46 GMT

HI Luciano

Thanks for your reply.

We use management interface as service route for all. Also forward all logs as Syslog to Splunk, and it is the health of this connection I want to check (we do get 'disconnect' messages too often) .

This is a bit like swimming the Niagara upstream, while catching fish, I assume, therefore filtering beyond host would make sense (syn/fin/rst flaggs)

But thanks again anyhow for your solid feedback.

-=Tommy=-

Re: tcpdump filters

glastra1 — Fri, 18 Mar 2016 12:16:37 GMT

well... I tested it in my FW and it worked in 6.1.10

> tcpdump filter "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C5 packets captured
10 packets received by filter
0 packets dropped by kernel

It captured just sync packets which by default are truncated

https://live.paloaltonetworks.com/t5/Management-Articles/Tcpdump-Packet-Capture-Truncated/ta-p/63047

regards,

Gerardo