- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-11-2019 11:40 AM
I am trying to capture traffic between a specific source on the internal network to any destination on any zone. I totally understand how to enable captures and turn it on & off but my capture seems to be colleting data but not anything that I can recognize. I have double checked my filter & the traffic pattern, addresses & interfaces being crossed seem straight forward to me but whe I look at the output it looks like data has been captured that is not matching the filter I've created. I'm trying to make sense of it & am not able to. Can someone with experience please review my filter & tell me why I am seeing internal addresses in the capture that dont match the source im using in my filter?
Filter I'm using...
debug dataplane packet-diag set filter match source 192.168.180.210 source-netmask 32 ingress-interface ethernet1/3
Show Setting Output...
paloalto> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no
Index 1: 192.168.180.210/32[0]->0.0.0.0/0[0], proto 0
ingress-interface ethernet1/20, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
Username:
Stage receive : file cap
Captured: packets - 3 bytes - 162
Maximum: packets - 0 bytes - 0
Stage transmit : file cap
Captured: packets - 2 bytes - 108
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------
04-12-2019 02:29 PM
If the sessions have already started when you set your capture filter, it will not output anything. In addition to the 'clear filter-marked-sessions' command you tried, you may also want to clear the active sessions (assuming an interruption to those is ok):
> clear session all filter source 192.168.180.210
You can also check to see if your filters are matching before you actually attempt to capture by running a delta against the counters using that filter:
> show counter global filter packet-filter yes delta yes
The first time you run the command you'll probably get a big output, but each subsequent time you run it the output will just be a delta between the last time you ran it. If you're seeing packet numbers increment, you can start the capture and should see the same number of packets there.
04-11-2019 11:44 AM
debug dataplane packet-diag clear filter-marked-session all
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgDCAS
04-11-2019 12:15 PM
thanks. that didnt work.
04-12-2019 02:29 PM
If the sessions have already started when you set your capture filter, it will not output anything. In addition to the 'clear filter-marked-sessions' command you tried, you may also want to clear the active sessions (assuming an interruption to those is ok):
> clear session all filter source 192.168.180.210
You can also check to see if your filters are matching before you actually attempt to capture by running a delta against the counters using that filter:
> show counter global filter packet-filter yes delta yes
The first time you run the command you'll probably get a big output, but each subsequent time you run it the output will just be a delta between the last time you ran it. If you're seeing packet numbers increment, you can start the capture and should see the same number of packets there.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!