This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA Packet capture

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA Packet capture

Go to solution
jdprovine
L4 Transporter

‎03-07-2018 01:38 PM

Is there anyway to get bi-directional data in a single packet capture on the PA ?  Some of mine seem like it splits the traffic into tranmissions on one, drop on another and recieve on yet another. Can those all be combined?

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎03-07-2018 01:58 PM

@jdprovine,

You can merge the PCAPs once you've finished collectiong them, however the stage is what the firewall is actually capturing so it isn't able to take a full capture of everything. 

* Drops: Records packets that are dropped due to an error. 

* Firewall: Captures when the device is processing packets.

* Receive: Packets that are recieved by the device. 

* Transmit: Packets sent from the source. 

 

If you utilize WireShark you can actually merge all of these chronologically to essentially get what you are looking for in one large file. To do so simply open one of the PCAPs and select FileMerge select the other PCAP and then select whether you want to Prepend, Append, or Merge Chronologically. 

View solution in original post

1 person found this solution to be helpful.

Go to solution
Remo
L7 Applicator
In response to BPry

‎03-07-2018 02:48 PM

If you enter the same filename for all four stages, I thought you will have everything in one file directly on the firewall...

View solution in original post

6 REPLIES 6

Go to solution
BPry
Cyber Elite
Cyber Elite

‎03-07-2018 01:58 PM

@jdprovine,

You can merge the PCAPs once you've finished collectiong them, however the stage is what the firewall is actually capturing so it isn't able to take a full capture of everything. 

* Drops: Records packets that are dropped due to an error. 

* Firewall: Captures when the device is processing packets.

* Receive: Packets that are recieved by the device. 

* Transmit: Packets sent from the source. 

 

If you utilize WireShark you can actually merge all of these chronologically to essentially get what you are looking for in one large file. To do so simply open one of the PCAPs and select FileMerge select the other PCAP and then select whether you want to Prepend, Append, or Merge Chronologically. 

1 person found this solution to be helpful.

Go to solution
Remo
L7 Applicator
In response to BPry

‎03-07-2018 02:48 PM

If you enter the same filename for all four stages, I thought you will have everything in one file directly on the firewall...

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Remo

‎03-07-2018 06:11 PM - edited ‎03-07-2018 06:16 PM

@Remo,

Does...does that actually work? 

 

Wow that actually works. I've always just assumed that the file needs to be different for the different stages. This will save quite a bit of time throughout the week, thanks @Remo

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to BPry

‎03-08-2018 01:35 AM

a word of caution on @Remo's trick

 

The advantage is that you get everything in one file, but you may lose some visibility on which packets are missing from a stage and, if your capture is large: the pcaps roll over at 200mb, if you put 4 streams into one file, it will roll over much quicker

we do create a pcap.1, so your total size limit is 400mb of capture, but beware that if you put tx + rx + fw into a single file, you'll only be able to get +- 133mb of total traffic beforee you start losing the start of your capture

 

other than that: awesome trick!

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
jdprovine
L4 Transporter
In response to reaper

‎03-08-2018 06:12 AM

@reaper @BPry @Remo

 

As always you have made it hard for me to pick the accepted solution because you all offer such great idea. Thanks!!

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to jdprovine

‎03-08-2018 06:40 AM

good news! you can select multiple 😜

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2 accepted solutions
  • 5785 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks