Packet Capture Question

Reply
Highlighted
Not applicable

Packet Capture Question

Hey folks,

I'd like capture a particular traffic stream for analysis.  I see how you can capure a packet trace as part of a Vulnerability Protection profile, but this particular traffic is not seen as a vulnerability or threat (i.e. it's not showing up in the threat log).

Is there a way to create policy, defining the stream, and capturing a packet trace?

Thanks,

Grant

-----------------------

L4 Transporter

Re: Packet Capture Question

Hi Grant,

This document will help you out if you are on PANOS 3.1: https://live.paloaltonetworks.com/docs/DOC-1506

Here is an excerpt:

Traditional PCAP

Set a filter to control what traffic is captured

debug dataplane packet-diag set filter on

debug dataplane packet-diag set filter match <criteria>

Enable Packet Capture

debug dataplane packet-diag set capture on

debug dataplane packet-diag set capture stage firewall file foo.pcap

View the Packet Capture

view-pcap filter-pcap foo.pcap

Export the Packet Capture in PCAP format (SCP or TFTP)

scp export filter-pcap from foo.pcap to username@host:path

tftp export filter-pcap from foo.pcap to <tftp host>

These commands also exist in 3.0 and below but they are not under packet-diag.  I believe they are directly under "debug dataplane"

Cheers,

Kelly

Not applicable

Re: Packet Capture Question

Thanks Kelly, but we're on 3.0.9 so I'm going to have to modify this for the previous verion.

I found this:

https://live.paloaltonetworks.com/docs/DOC-1045#comment-1110

But when I do:

scp export debug-pcap from ?

it does not list the file name I specified here:

debug dataplane filter set destination <dest-IP> file <name.pcap> packet-count 200000

When I do a:

debug dataplane get

I can see my filter and file:

10.1.2.123:0 -> 0.0.0.0:0, 0 0 2000000 mypcap.pcap

Can you see what I've done wrong?

L4 Transporter

Re: Packet Capture Question

I don't have a 3.0 box handy to test, but I believe the export command should not include "debug-pcap" but "filter".  A debug-pcap is a special type of pcap for traffic terminating on the firewall (such as DHCP or routing protocol).  The "filter" pcap is for the traditional packet capture you are performing.  There are a couple of other types of pcaps including application and unknown-application.

Cheers,

Kelly

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!