Unknown Application Packet Capture

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unknown Application Packet Capture

Not applicable

Hi

I want know about Unknown packet capture.

Q1. Where is unknown pcap stored?

[Device] > [Setup] > [Management] > [ Logging and Reporting Settings]

App Pkt Capture ?

Q2. I want know Unknown Pcap Usage.

Q3. When is capture unknown packet in PA packet flow?

Regards,

2 REPLIES 2

L5 Sessionator

Q1. Where is unknown pcap stored?[Device] > [Setup] > [Management] > [ Logging and Reporting Settings]App Pkt Capture ?


Application PCAPs are stored  at the following path /opt/panlogs/session/pan/application/ .

These  PCAPs will appear in the traffic log as a little green arrow .

You can use the  CLI command view-pcap application-pcap <date>/"   to view the Application pcaps

[Device] > [Setup] > [Management] > [ Logging and Reporting Settings] is where you can alter the Storage Quota for various logs and PCAPs


Q2. I want know Unknown Pcap Usage.

Can be viewed using CLI command :

> show system logdb-quota

Quotas:

             traffic: 32.00%, 38.060 GB

              threat: 16.00%, 19.030 GB

              system: 4.00%, 4.758 GB

              config: 4.00%, 4.758 GB

               alarm: 3.00%, 3.568 GB

               trsum: 7.00%, 8.326 GB

         hourlytrsum: 3.00%, 3.568 GB

          dailytrsum: 1.00%, 1.189 GB

         weeklytrsum: 1.00%, 1.189 GB

               thsum: 2.00%, 2.379 GB

         hourlythsum: 1.00%, 1.189 GB

          dailythsum: 1.00%, 1.189 GB

         weeklythsum: 1.00%, 1.189 GB

             appstat: 6.00%, 7.136 GB

              userid: 1.00%, 1.189 GB

            hipmatch: 3.00%, 3.568 GB

   application-pcaps: 1.00%, 1.189 GB

        threat-pcaps: 1.00%, 1.189 GB

  debug-filter-pcaps: 1.00%, 1.189 GB

         hip-reports: 1.00%, 1.189 GB

            dlp-logs: 1.00%, 1.189 GB

Disk usage:

traffic: Logs: 59M, Index: 14M

threat: Logs: 42M, Index: 12M

system: Logs: 5.6M, Index: 904K

config: Logs: 17M, Index: 184K

alarm: Logs: 20K, Index: 20K

trsum: Logs: 86M, Index: 4.1M

hourlytrsum: Logs: 2.7M, Index: 1.5M

dailytrsum: Logs: 944K, Index: 1.4M

weeklytrsum: Logs: 468K, Index: 224K

thsum: Logs: 192K, Index: 192K

hourlythsum: Logs: 176K, Index: 176K

dailythsum: Logs: 168K, Index: 168K

weeklythsum: Logs: 32K, Index: 32K

appstatdb: Logs: 1.1M, Index: 852K

userid: Logs: 100K, Index: 52K

hipmatch: Logs: 20K, Index: 20K

application-pcaps: 1.4M <<====App PCAP usage

threat-pcaps: 4.0K

debug-filter-pcaps: 12K

dlp-logs: 4.0K

hip-reports: 1.1M

wildfire: 16K

Q3. When is capture unknown packet in PA packet flow?

When PA firewall is unable to identify the application using APP-ID ,the application will be termed as unknown (unknown/-tcp,unknown-udp,non-sysn-tcp).


Following Tech note will give you detailed Information about unknown apps and how to report them to Palto Alto.

L5 Sessionator

The following doc explains about unknow apps

https://live.paloaltonetworks.com/docs/DOC-2007

Also following document explains how to request an new application

https://live.paloaltonetworks.com/docs/DOC-1879

you can also create an app override for an application that is internal to your network and you know the port numbers

https://live.paloaltonetworks.com/docs/DOC-1071

Following doc explains what application override does

https://live.paloaltonetworks.com/docs/DOC-1343

Hope this helps.

Thanks

  • 3288 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!