Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Packet Capture Filters via CLI using debug commands

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Packet Capture Filters via CLI using debug commands

L3 Networker

I am trying to capture traffic between a specific source on the internal network to any destination on any zone.  I totally understand how to enable captures and turn it on & off but my capture seems to be colleting data but not anything that I can recognize.  I have double checked my filter & the traffic pattern, addresses & interfaces being crossed seem straight forward to me but whe I look at the output it looks like data has been captured that is not matching the filter I've created.  I'm trying to make sense of it & am not able to.  Can someone with experience please review my filter & tell me why I am seeing internal addresses in the capture that dont match the source im using in my filter?

 

Filter I'm using...

debug dataplane packet-diag set filter match source 192.168.180.210 source-netmask 32 ingress-interface ethernet1/3

 

 

Show Setting Output...

paloalto> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no
Index 1: 192.168.180.210/32[0]->0.0.0.0/0[0], proto 0
ingress-interface ethernet1/20, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
Username:
Stage receive : file cap
Captured: packets - 3 bytes - 162
Maximum: packets - 0 bytes - 0
Stage transmit : file cap
Captured: packets - 2 bytes - 108
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------

 

 

 

 

1 accepted solution

Accepted Solutions

If the sessions have already started when you set your capture filter, it will not output anything. In addition to the 'clear filter-marked-sessions' command you tried, you may also want to clear the active sessions (assuming an interruption to those is ok):

 

> clear session all filter source 192.168.180.210

You can also check to see if your filters are matching before you actually attempt to capture by running a delta against the counters using that filter:

> show counter global filter packet-filter yes delta yes

The first time you run the command you'll probably get a big output, but each subsequent time you run it the output will just be a delta between the last time you ran it. If you're seeing packet numbers increment, you can start the capture and should see the same number of packets there.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

debug dataplane packet-diag clear filter-marked-session all

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgDCAS

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

thanks.  that didnt work.

If the sessions have already started when you set your capture filter, it will not output anything. In addition to the 'clear filter-marked-sessions' command you tried, you may also want to clear the active sessions (assuming an interruption to those is ok):

 

> clear session all filter source 192.168.180.210

You can also check to see if your filters are matching before you actually attempt to capture by running a delta against the counters using that filter:

> show counter global filter packet-filter yes delta yes

The first time you run the command you'll probably get a big output, but each subsequent time you run it the output will just be a delta between the last time you ran it. If you're seeing packet numbers increment, you can start the capture and should see the same number of packets there.

  • 1 accepted solution
  • 31918 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!