Packet capture

Reply
L2 Linker

Packet capture

We have an issue with SIP sessions randomly hang on the firewall. We are trying to do packet capture on the Palo alto firewall. Since the issue is random, so we need to leave the packet capture on until it happens next time.

 

It seems the firewall automatically turns off the packet capture after about 10 to 15 minutes. Is that by design? Is there anyway we can leave it on for long period of time?

Also will the capture files keeps deleting the old packets and keep the latest ones?

 

L2 Linker

Re: Packet capture

capture2.PNG

 

Looks like there is a hard limit of 209,715,200 bytes = 210 Mb

What file sizes are you seeing once the .pcap turn off?

 

Also, one thing that may help is locking down the filters to a specific source/dest IP address and source/dest port.

L2 Linker

Re: Packet capture

Yes we have filtered to specific source and destination and port. It turns off packet capture by itself about 10 minutes regardless the size of the file, which was under 8M.

I am thinking of using tcpdump in command line to do the packet capture.  Will it do the capture continuously? For how long? Can we export the file to a external tftp server?

Highlighted
L2 Linker

Re: Packet capture

@Jatin.Singh tcpdump is for taking .pcap on the management interface only. 

Have you tried doing an App Override or turning off ALG?

 

Here's a good troubleshooting doc for troubleshooting VoIP issues:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUiCAK

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!