Does anyone know what filters are supported for the tcpdump command on PAN-OS (7.0) ?
For troubelshooting of a Syslog (server) issue, due to large amounts of traffic, I need to capture only packets with syn- or fin/rst-flag set.
Something like this : # tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
Documentation found 'How To Packet Capture (tcpdump) On Management Interface' are sparse, as the filter options very well might be.
Solved! Go to Solution.
it supports just a limited set of options, I would not even try to do regex on it, I don't try to filter with more than host and port, usually something like what is described in it's help: tcpdump filters - e.g. "src net 126.96.36.199/24 and not port 22".
view-pcap verbose++ yes link-header yes mgmt-pcap mgmt.pcap is second option I use to quickly review directly on the device, omitting or adding more options but generally capturing doesn't go further than host / net / src / dest / port and few such keywords. I haven't experimented but on the other hand mgmt interface will not be really as busy as upstream, right? host and port usually do job for me.
To troubleshoot fast-sending syslog I would use snaplen of 1 bytes of data and filter by source ip and dest port (you care just about flags, right? you do not need the whole packet, and I would quit capturing quickly... "rinse and repeat" until you catch enough packets that give you good results?
Thanks for your reply.
We use management interface as service route for all. Also forward all logs as Syslog to Splunk, and it is the health of this connection I want to check (we do get 'disconnect' messages too often) .
This is a bit like swimming the Niagara upstream, while catching fish, I assume, therefore filtering beyond host would make sense (syn/fin/rst flaggs)
But thanks again anyhow for your solid feedback.
well... I tested it in my FW and it worked in 6.1.10
> tcpdump filter "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C5 packets captured
10 packets received by filter
0 packets dropped by kernel
It captured just sync packets which by default are truncated
Thanks a lot Gereardo.
Seems like I got confused about the use of ' versus "
In my initial example the closing ' was also missing, This was a copy/paste glitch. Honest
(there might be a closing ")" in your link that prevents it from being clickable)
TCPDUMP is specifically for the mgmt interface.
For dataplane interfaces you can use PCAP:
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!