I'd like capture a particular traffic stream for analysis. I see how you can capure a packet trace as part of a Vulnerability Protection profile, but this particular traffic is not seen as a vulnerability or threat (i.e. it's not showing up in the threat log).
Is there a way to create policy, defining the stream, and capturing a packet trace?
This document will help you out if you are on PANOS 3.1: https://live.paloaltonetworks.com/docs/DOC-1506
Here is an excerpt:
Set a filter to control what traffic is captured
debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match <criteria>
Enable Packet Capture
debug dataplane packet-diag set capture on
debug dataplane packet-diag set capture stage firewall file foo.pcap
View the Packet Capture
view-pcap filter-pcap foo.pcap
Export the Packet Capture in PCAP format (SCP or TFTP)
scp export filter-pcap from foo.pcap to username@host:path
tftp export filter-pcap from foo.pcap to <tftp host>
These commands also exist in 3.0 and below but they are not under packet-diag. I believe they are directly under "debug dataplane"
Thanks Kelly, but we're on 3.0.9 so I'm going to have to modify this for the previous verion.
I found this:
But when I do:
scp export debug-pcap from ?
it does not list the file name I specified here:
debug dataplane filter set destination <dest-IP> file <name.pcap> packet-count 200000
When I do a:
debug dataplane get
I can see my filter and file:
10.1.2.123:0 -> 0.0.0.0:0, 0 0 2000000 mypcap.pcap
Can you see what I've done wrong?
I don't have a 3.0 box handy to test, but I believe the export command should not include "debug-pcap" but "filter". A debug-pcap is a special type of pcap for traffic terminating on the firewall (such as DHCP or routing protocol). The "filter" pcap is for the traditional packet capture you are performing. There are a couple of other types of pcaps including application and unknown-application.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!