https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185243#M56699 <P>Ok this is not possible, you could mirror the port on the switch or install a hub between the PA and your switch.</P> Thu, 02 Nov 2017 20:58:25 GMT Mick_Ball 2017-11-02T20:58:25Z https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185203#M56687 <P>Hello All,</P><P>&nbsp;</P><P>I would like to capture packet by tcpdump on other interface than management interface.</P><P>How can do it ? (please explain more detailled as possible).</P><P>&nbsp;</P><P>Thanks for your help.</P><P>GB.</P> Thu, 02 Nov 2017 17:38:40 GMT https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185203#M56687 BLAISEMONT 2017-11-02T17:38:40Z https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185214#M56688 <P>i dont think you can so I just use /monitor/packet capture</P> Thu, 02 Nov 2017 17:55:15 GMT https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185214#M56688 Mick_Ball 2017-11-02T17:55:15Z https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185216#M56689 <P>or from CLI</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390</A></P> Thu, 02 Nov 2017 18:03:56 GMT https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185216#M56689 Mick_Ball 2017-11-02T18:03:56Z https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185233#M56696 <P>Yes, thanks. But i precise that i would like to see the trafic&nbsp; streaming in real time like tcpdump under Linux, because i manipulate the rules in production, and i don't cut for more than a few second. I don't have a sandbox to test.</P><P>&nbsp;</P> Thu, 02 Nov 2017 19:37:57 GMT https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185233#M56696 BLAISEMONT 2017-11-02T19:37:57Z https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185243#M56699 <P>Ok this is not possible, you could mirror the port on the switch or install a hub between the PA and your switch.</P> Thu, 02 Nov 2017 20:58:25 GMT https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185243#M56699 Mick_Ball 2017-11-02T20:58:25Z https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185245#M56700 <P><EM>Technically</EM> it can be done using the "follow yes" option in CLI:</P><P>&nbsp;</P><PRE>&gt; view-pcap follow yes verbose++ filter-pcap tx-test </PRE><P>It will not help&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/67968">@BLAISEMONT</a>&nbsp;much though, because once you change rules you have to commit the changes and then all the traffic is affected. It's also a burdon to the management plane if the capture filter is not narrow enough. The mirror/span port option is by far the best, as long as the switch can handle it.</P><P>&nbsp;</P><P>In case that's missed,&nbsp;<STRONG>you should avoid doing this in production just in case.</STRONG></P><P>&nbsp;</P><P>Generally without a lab/sandbox though, I'd recommend creating a test rule change that would only apply to the test user above the rule being changed. That allows you to test things out without affecting production.&nbsp;</P> Thu, 02 Nov 2017 21:38:27 GMT https://live.paloaltonetworks.com/t5/general-topics/port-analyse-by-tcpdump/m-p/185245#M56700 gwesson 2017-11-02T21:38:27Z