https://live.paloaltonetworks.com/t5/general-topics/tail-traffic-in-cli/m-p/196506#M58520 <P>Hm... That's a little unfortunate.</P><P><BR />Thank you!</P> Tue, 23 Jan 2018 20:55:16 GMT Gareth.Doyle 2018-01-23T20:55:16Z https://live.paloaltonetworks.com/t5/general-topics/tail-traffic-in-cli/m-p/196304#M58488 <P>Is it possible to tail live traffic in the CLI while running a grep (or match) for specific things? I would find this extremely useful..</P><P>&nbsp;</P><P>Thanks.</P> Tue, 23 Jan 2018 00:55:32 GMT https://live.paloaltonetworks.com/t5/general-topics/tail-traffic-in-cli/m-p/196304#M58488 Gareth.Doyle 2018-01-23T00:55:32Z https://live.paloaltonetworks.com/t5/general-topics/tail-traffic-in-cli/m-p/196372#M58492 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/80358">@Gareth.Doyle</a></P> <P>&nbsp;</P> <P>yes and no: there are several ways, depending on what you want to know, to look for/at sessions/session details, but there is no 'follow'' function to see one particular session</P> <P>&nbsp;</P> <P>you can <FONT face="terminal,monaco">&gt;show session all filter</FONT>&nbsp; to find all sessions matchingsomething specific (application, port, ip,..)</P> <PRE>admin@MyFirewall&gt; show session all filter + application Application name + count count number of sessions only + destination destination IP address + destination-port Destination port + destination-user Destination user + egress-interface egress interface + from From zone + hw-interface hardware interface + ingress-interface ingress interface + min-kb minimum KB of byte count + nat If session is NAT + nat-rule NAT rule name + pbf-rule Policy-Based-Forwarding rule name + protocol IP protocol value + qos-class QoS class + qos-node-id QoS node-id value + qos-rule QoS rule name + rematch rematch sessions + rule Security rule name + source source IP address + source-port Source port + source-user Source user + ssl-decrypt session is decrypted + start-at Show next 1K sessions + state flow state + to To zone + tunnel-decap session is outer tunnel with inspection enabled + tunnel-inspected session is inside tunnel + type flow type | Pipe through a command &lt;Enter&gt; Finish input </PRE> <P>or you can <FONT face="terminal,monaco">&gt;show session id</FONT> which will show you the stats of one specific session</P> <P>&nbsp;</P> <PRE>admin@MyFirewall&gt; show session id 26709 Session 26709 c2s flow: source: 192.168.0.97 [v1-trust] dst: 4.2.2.2 proto: 17 sport: 61263 dport: 53 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 4.2.2.2 [v1-untrust] dst: 198.51.100.241 proto: 17 sport: 53 dport: 27792 state: INIT type: FLOW src user: unknown dst user: unknown start time : Tue Jan 23 11:36:42 2018 timeout : 30 sec total byte count(c2s) : 211 total byte count(s2c) : 271 layer7 packet count(c2s) : 2 layer7 packet count(s2c) : 1 vsys : vsys1 application : dns rule : dns session to be logged at end : False session in session ager : False session updated by HA peer : False address/port translation : source nat-rule : hideNAT-ISP1(vsys1) layer7 processing : enabled URL filtering enabled : False session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) end-reason : aged-out </PRE> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 23 Jan 2018 10:39:33 GMT https://live.paloaltonetworks.com/t5/general-topics/tail-traffic-in-cli/m-p/196372#M58492 reaper 2018-01-23T10:39:33Z https://live.paloaltonetworks.com/t5/general-topics/tail-traffic-in-cli/m-p/196506#M58520 <P>Hm... That's a little unfortunate.</P><P><BR />Thank you!</P> Tue, 23 Jan 2018 20:55:16 GMT https://live.paloaltonetworks.com/t5/general-topics/tail-traffic-in-cli/m-p/196506#M58520 Gareth.Doyle 2018-01-23T20:55:16Z