Packet Capture problem w/ PA-5020 running 4.0.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Packet Capture problem w/ PA-5020 running 4.0.0

L0 Member

So, using debug dataplane packet-diag I am unable to get filters to work propperly and quite often don't see data that I actually Should.  I didn't know if this was a bug with the 4.0.0 code or not but it makes it awful hard to defend the firewall when I can't produce reliable output from either logs or packet captures.  The settings I have are below and not only does the filter not work propperly but I don't see the traffic I should be seeing.  Also rather odd that the transmitted packets counter is so much higher than all the rest.

DP 0:

--------------------------------------------------------------------------------

Packet diagnosis setting:

--------------------------------------------------------------------------------

Packet filter

  Enabled:                   yes

  Match pre-parsed packet:   yes          

  Index 1: 10.100.240.179[0]->0.0.0.0[0], proto 0

           ingress-interface ethernet1/1, egress-interface any, exclude non-IP

--------------------------------------------------------------------------------

Logging

  Enabled:                   no

  Log-throttle:              no

  Aggregate-to-single-file:  yes          

  Output file size:          7364 of 10485760 Bytes

  Features:

  Counters:

--------------------------------------------------------------------------------

Packet capture

  Enabled:                   no          

  Stage receive           :  file ssh-receive.pcap

    Captured:     packets - 63673      bytes - 14346098  

    Maximum:      packets - 0          bytes - 0         

  Stage firewall          :  file ssh-firewall.pcap

    Captured:     packets - 59183      bytes - 13831536  

    Maximum:      packets - 0          bytes - 0         

  Stage transmit          :  file ssh-transmit.pcap

    Captured:     packets - 111227     bytes - 27857297  

    Maximum:      packets - 0          bytes - 0         

  Stage drop              :  file ssh-drop.pcap

    Captured:     packets - 1131       bytes - 239054    

    Maximum:      packets - 0          bytes - 0         

--------------------------------------------------------------------------------

DP 1:

--------------------------------------------------------------------------------

Packet diagnosis setting:

--------------------------------------------------------------------------------

Packet filter

  Enabled:                   yes

  Match pre-parsed packet:   yes          

  Index 1: 10.100.240.179[0]->0.0.0.0[0], proto 0

           ingress-interface ethernet1/1, egress-interface any, exclude non-IP

--------------------------------------------------------------------------------

Logging

  Enabled:                   no

  Log-throttle:              no

  Aggregate-to-single-file:  yes          

  Output file size:          221380 of 10485760 Bytes

  Features:

  Counters:

--------------------------------------------------------------------------------

Packet capture

  Enabled:                   no          

  Stage receive           :  file ssh-receive.pcap

    Captured:     packets - 211771     bytes - 157212649 

    Maximum:      packets - 0          bytes - 0         

  Stage firewall          :  file ssh-firewall.pcap

    Captured:     packets - 215378     bytes - 157520273 

    Maximum:      packets - 0          bytes - 0         

  Stage transmit          :  file ssh-transmit.pcap

    Captured:     packets - 359186     bytes - 197191051 

    Maximum:      packets - 0          bytes - 0         

  Stage drop              :  file ssh-drop.pcap

    Captured:     packets - 695        bytes - 112144    

    Maximum:      packets - 0          bytes - 0         

--------------------------------------------------------------------------------

1 REPLY 1

Cyber Elite
Cyber Elite

Hi Price

could you try setting these without interface and with a second filter with 10.100.240.179 as destination. Can you try this command a couple of times during your tests: "show counter global filter delta yes filter packet-filter yes" , are there counters visible after the second time you execute this command, are there drops in there ?

regards

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2011 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!