topic Re: Packet Capture Filters via CLI using debug commands in General Topics

Packet Capture Filters via CLI using debug commands

MarioMarquez — Thu, 11 Apr 2019 18:40:28 GMT

I am trying to capture traffic between a specific source on the internal network to any destination on any zone. I totally understand how to enable captures and turn it on & off but my capture seems to be colleting data but not anything that I can recognize. I have double checked my filter & the traffic pattern, addresses & interfaces being crossed seem straight forward to me but whe I look at the output it looks like data has been captured that is not matching the filter I've created. I'm trying to make sense of it & am not able to. Can someone with experience please review my filter & tell me why I am seeing internal addresses in the capture that dont match the source im using in my filter?

Filter I'm using...

debug dataplane packet-diag set filter match source 192.168.180.210 source-netmask 32 ingress-interface ethernet1/3

Show Setting Output...

paloalto> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no
Index 1: 192.168.180.210/32[0]->0.0.0.0/0[0], proto 0
ingress-interface ethernet1/20, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
Username:
Stage receive : file cap
Captured: packets - 3 bytes - 162
Maximum: packets - 0 bytes - 0
Stage transmit : file cap
Captured: packets - 2 bytes - 108
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------

Re: Packet Capture Filters via CLI using debug commands

Raido_Rattameister — Thu, 11 Apr 2019 18:44:59 GMT

debug dataplane packet-diag clear filter-marked-session all

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgDCAS

Re: Packet Capture Filters via CLI using debug commands

MarioMarquez — Thu, 11 Apr 2019 19:15:20 GMT

thanks. that didnt work.

Re: Packet Capture Filters via CLI using debug commands

gwesson — Fri, 12 Apr 2019 21:29:29 GMT

If the sessions have already started when you set your capture filter, it will not output anything. In addition to the 'clear filter-marked-sessions' command you tried, you may also want to clear the active sessions (assuming an interruption to those is ok):

> clear session all filter source 192.168.180.210

You can also check to see if your filters are matching before you actually attempt to capture by running a delta against the counters using that filter:

> show counter global filter packet-filter yes delta yes

The first time you run the command you'll probably get a big output, but each subsequent time you run it the output will just be a delta between the last time you ran it. If you're seeing packet numbers increment, you can start the capture and should see the same number of packets there.