This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Packet Capture Question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Packet Capture Question

grant_sturgis
Not applicable

‎06-15-2010 09:15 AM

Hey folks,

I'd like capture a particular traffic stream for analysis.  I see how you can capure a packet trace as part of a Vulnerability Protection profile, but this particular traffic is not seen as a vulnerability or threat (i.e. it's not showing up in the threat log).

Is there a way to create policy, defining the stream, and capturing a packet trace?

Thanks,

Grant

-----------------------

1 person had this problem.
Labels:
0 Likes Likes
3 REPLIES 3

kbrazil
L4 Transporter

‎06-15-2010 10:14 AM

Hi Grant,

This document will help you out if you are on PANOS 3.1: https://live.paloaltonetworks.com/docs/DOC-1506

Here is an excerpt:

Traditional PCAP

Set a filter to control what traffic is captured

debug dataplane packet-diag set filter on

debug dataplane packet-diag set filter match <criteria>

Enable Packet Capture

debug dataplane packet-diag set capture on

debug dataplane packet-diag set capture stage firewall file foo.pcap

View the Packet Capture

view-pcap filter-pcap foo.pcap

Export the Packet Capture in PCAP format (SCP or TFTP)

scp export filter-pcap from foo.pcap to username@host:path

tftp export filter-pcap from foo.pcap to <tftp host>

These commands also exist in 3.0 and below but they are not under packet-diag.  I believe they are directly under "debug dataplane"

Cheers,

Kelly

0 Likes Likes

grant_sturgis
Not applicable
In response to kbrazil

‎06-15-2010 12:23 PM

Thanks Kelly, but we're on 3.0.9 so I'm going to have to modify this for the previous verion.

I found this:

https://live.paloaltonetworks.com/docs/DOC-1045#comment-1110

But when I do:

scp export debug-pcap from ?

it does not list the file name I specified here:

debug dataplane filter set destination <dest-IP> file <name.pcap> packet-count 200000

When I do a:

debug dataplane get

I can see my filter and file:

10.1.2.123:0 -> 0.0.0.0:0, 0 0 2000000 mypcap.pcap

Can you see what I've done wrong?

0 Likes Likes

kbrazil
L4 Transporter
In response to grant_sturgis

‎06-15-2010 12:33 PM

I don't have a 3.0 box handy to test, but I believe the export command should not include "debug-pcap" but "filter".  A debug-pcap is a special type of pcap for traffic terminating on the firewall (such as DHCP or routing protocol).  The "filter" pcap is for the traditional packet capture you are performing.  There are a couple of other types of pcaps including application and unknown-application.

Cheers,

Kelly

0 Likes Likes
  • 4169 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks