Does anyone know what filters are supported for the tcpdump command on PAN-OS (7.0) ?
For troubelshooting of a Syslog (server) issue, due to large amounts of traffic, I need to capture only packets with syn- or fin/rst-flag set.
Something like this : # tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0


Documentation found 'How To Packet Capture (tcpdump) On Management Interface' are sparse, as the filter options very well might be.

Don't know exactly what is allowed. But so far I managed to use only basic tcpdump filters through PAN-OS unfortunately.


it supports just a limited set of options, I would not even try to do regex on it, I don't try to filter with more than host and port, usually something like what is described in it's help: tcpdump filters - e.g. "src net and not port 22".

view-pcap verbose++ yes link-header yes mgmt-pcap mgmt.pcap is second option I use to quickly review directly on the device, omitting or adding more options but generally capturing doesn't go further than host / net / src / dest / port and few such keywords. I haven't experimented but on the other hand mgmt interface will not be really as busy as upstream, right? host and port usually do job for me.


To troubleshoot fast-sending syslog I would use snaplen of 1 bytes of data and filter by source ip and dest port (you care just about flags, right? you do not need the whole packet, and I would quit capturing quickly... "rinse and repeat" until you catch enough packets that give you good results?


Best regards



HI Luciano


Thanks for your reply.

We use management interface as service route for all. Also forward all logs as Syslog to Splunk, and it is the health of this connection I want to check (we do get 'disconnect' messages too often) .

This is a bit like swimming the Niagara upstream, while catching fish,  I assume, therefore filtering beyond host would make sense (syn/fin/rst flaggs)


But thanks again anyhow for your solid feedback.



well... I tested it in my FW and it worked in 6.1.10


> tcpdump filter "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C5 packets captured
10 packets received by filter
0 packets dropped by kernel


It captured just sync packets which by default are truncated




Thanks a lot Gereardo.

Seems like I got confused about the use of ' versus "

In my initial example the closing ' was also missing, This was a copy/paste glitch. Honest


(there might be a closing ")" in your link that prevents it from being clickable)

How to run TCPDUMP on other interface except mgmt. Anybody has nay idea....

Hi @aloke1.p,


TCPDUMP is specifically for the mgmt interface.

For dataplane interfaces you can use PCAP:


Hope this helps.

Cheers !


