Packet Capture, Debug Flow-basic and Counter Commands

by nrice on ‎06-10-2010 03:00 PM - edited on ‎10-09-2015 09:37 AM by Community Manager (59,594 Views)

Before Starting:

  • Check for any configured filters using the command below. Make note of any filters, so that they can be restored later, if needed.
> debug dataplane packet-diag show setting
  • Clear all packet capture settings:
> debug dataplane packet-diag clear all 
  • Clear debug log:
debug dataplane packet-diag clear log log

• Clear all previously marked sessions:

> debug dataplane packet-diag clear filter-marked-session all 

• In order to capture all packets in offloaded sessions, offload may need to be temporarily disabled.

Important!
Review the following document before disabling offload:
Disabling Session Offload to Record Traffic During

 

Packet Capture Traditional PCAP:

  • Set a filter to control what traffic is captured:
> debug dataplane packet-diag set filter match <criteria>  
> debug dataplane packet-diag set filter on

• Enable Packet Capture:

> debug dataplane packet-diag set capture stage receive file rx.pcap 
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on
  • View the Packet Capture:
> view-pcap filter-pcap rx.pcap

 

• Export the Packet Capture in PCAP format (SCP or TFTP):

> scp export filter-pcap from fw.pcap to username@host:path 
> tftp export filter-pcap from fw.pcap to <tftp host>

 

• Delete the PCAP file(s):

> delete debug-filter file <filename>

Application Dump PCAP:

• Turn on application dump for the app:

> set application dump on application bittorent <other criteria>  
  • View the Packet Capture:
> view-pcap application-pcap fw.pcap (or through monitor tab in GUI) 

Export the Packet Capture in PCAP format (SCP or TFTP):

> scp export application-pcap from fw.pcap to username@host:path
> tftp export application-pcap from fw.pcap to <tftp host>

Debug PCAP (IKE, DHCP, RPD) 

  • Turn on debug packet capture:
> debug ike pcap on debug dhcp pcap on (etc...) 
  • View the Packet Capture:
> view-pcap debug-pcap fw.pcap 
  • Export the Packet Capture in PCAP format (SCP or TFTP):
> scp export debug-pcap from fw.pcap to username@host:path 
> tftp export debug-pcap from fw.pcap to <tftp host>

 

Debug Flow Basic

Important: This can increase CPU usage. Always use filters 

• Set a filter to control what traffic is logged:

> debug dataplane packet-diag set filter match <criteria>
> debug dataplane packet-diag set filter on
  • Enable debug logging:
> debug dataplane packet-diag set log feature flow basic 
> debug dataplane packet-diag set log on
  • Capture traffic, then immediately disable logging:
> debug dataplane packet-diag set log off 
  • View the debug log:
> debug dataplane packet-diag aggregate-logs (PAN-OS 5.0 and later only, 
wait 10-15 seconds after disabling log)
> less dp-log pan_packet_diag.log

 

Note: For PA-5000 series, instead of dp-log use dp0-log, dp1-log or dp2-log. For PA-200, use mp-log

 

Show Drop Counters: 

• Set a filter to control what traffic is counted:

> debug dataplane packet-diag set filter on 
> debug dataplane packet-diag set filter match <criteria>
  • Show the drop counters (absolute or relative to last time command was run):
> show counter global filter packet-filter yes | match drop 
> show counter global filter severity drop packet-filter yes delta yes

owner: vcappuccio

Comments
by cstech
on ‎09-04-2014 12:00 PM

How do I delete/remote/clear/reset the log file that is displayed with "less dp-log pan_packet_diag.log"?

by jjosephs
on ‎09-30-2014 02:28 PM

Chris,

I know that you can use the UI to go to Device > Log Settings > Manage Logs and remove different logs there. Generally speaking, you shouldn't need to remove any of the logs that you may view either with "less dp-log <TAB>" or "less mp-log <TAB>".

If you are running out of disk space on your firewall, please open a case with Support so that this can be properly handled.

by sebastian
on ‎10-22-2014 09:05 AM

Hi Chris,

you can delete the pan_packet_diag.log via

"debug dataplane packet-diag clear log log" (Clear debug logs)

by sebastian
on ‎10-22-2014 09:16 AM

Is there a way to get a bit smaller/clearer debug logs?

yeah i know it's strange to ask that debug = clear? :smileysilly:

I tried "debug dataplane packet-diag set log feature flow basic"

I got what I expect but also much more.

I'm only interested in the "real" flow messages (...Packet received at ingress stage Packet info: len 70 port 36 interface 366 vsys 1..."

And I dont care all about the "2014-10-20 21:42:12.885 +0200 debug: pan_url_profile_match_curls(pan_url_profile.c:631): [URL TOM] url/xyz.html".

Ideas? Feature Request?

by Lucky
on ‎02-17-2015 06:29 AM

Hello, Sebastian,

you can and are welcome to log in feature request through your sales contact to have less debug information in debug (?).

Until such request is met, we usually review pan_packet_diag (and other logs) via CLI, and we use standard 'less' or any linux-friendly shortcuts to browse logs. Useful set of browsing commands when "less" viewing a file:

g = go to first line of the file

Shift+g = go to the last line of the file

/keyword = search and highlight all 'keyword'

n = next search hit

shift+n = previous search hit

u = up the text

d = down the text

Should you want to filter logs, saving them elsewhere and getting only messages you are interested with should be real easy with grep, or piping few grep commands in a row.

Hope that helps at least a bit.

Regards

Luciano

by VijayChandar
on ‎06-01-2016 09:46 PM

I’m looking for something equivalent to “fw monitor” command in Check Point that shows both ingress and egress traffic upon policy match.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors