What is The Limitation of the Packet Capture File Size on PAN-OS?
34469
Created On 09/26/18 19:16 PM - Last Modified 06/13/23 03:56 AM
Resolution
To control capture file size, PAN-OS works with 2 files per stage acting as ring buffers. Once the original "filename.pcap" reaches 200MB, it will be renamed to "filename.pcap.1" and a new "filename.pcap" is created. If "filename.pcap.1" already exists, then it will be overwritten when the current 'filename.pcap' file is reaches the 200MB file size. This means that, at maximum, PAN-OS will keep the last 400MB of PCAP information.
The limit of 200MB cannot be modified in PAN-OS. In order to alleviate the amount of traffic captured; the snaplen parameter can be modified in order to limit packet size (40-65535 bytes):
> debug dataplane packet-diag set capture snaplen <40-65535>
owner: nbilly