- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-29-2021 11:22 PM
Hello Friends
I am trying to take packet captures on my firewall. But in captures I do not see all the packets. What may be the issue? Am I missing anything?
12-30-2021 04:52 AM - edited 12-30-2021 04:54 AM
Hi @d.spider ,
As you said you are not seeing all the packets in the capture, can you confirm what type of filter you have kept for the capture?
12-30-2021 12:00 AM
Thank you for post @d.spider
the first thing I would suspect is session offloading:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldYCAS
Kind Regards
Pavel
12-30-2021 03:20 AM
Hi @PavelK ,
Thanks for your response.
Is that applicable to all firewall models? I see specific platforms in the article and mine is not listed there (PA 800 series).
12-30-2021 04:52 AM - edited 12-30-2021 04:54 AM
Hi @d.spider ,
As you said you are not seeing all the packets in the capture, can you confirm what type of filter you have kept for the capture?
12-30-2021 08:54 PM
That’s a great point Sutare. Let me verify it as it was not set by me.
01-01-2022 06:30 PM
Thank you for reply @d.spider
I went through all documentation and it always states that session offloading is supported from PA-30XX/32XX series and higher, however I was looking into one of my PA-850 and I can see: "ctd decoder bypass" for some sessions:
Even though it is not mentioned in documentation session offloading for PA-800 series seems supported.
If you determined that session offloading is not an issue in your scenario, then as Sutare mentioned maybe an issue is related to filters.
Another thing that comes to my mind is, only new sessions will be recorded after packet capture is enabled, so you will not be able to capture traffic for sessions that are already established. Also, make sure to configure all stages to be sure you do not miss anything:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0
Kind Regards
Pavel
01-02-2022 11:09 PM
Hi @PavelK ,
Thanks for the explanation. The issue is resolved now. It was due to wrong filter. When I put filter from S2D and D2S, I can see all the packets captured in the pcap file. My mistake! I didn’t checked filter settings earlier.
Thank you @SutareMayur for pointing out it.
01-04-2022 11:59 PM
Hi @d.spider ,
You don't actually need to put filter for return traffic in order to capture it. I am guessing that @PavelK was right and you don't capture on all stages. I would suggest you to take more detailed look on link that @PavelK share.
Filters in packet capture are not working, the same way you imagine. Filter is not filtering packets, it is actually used to "tag" sessions. Based on the source and destination, firewall will search its connection table and tag any session that match the filter. Packets that belongs to tagged session will be captured. Or as the previous link explain it - "filters are session aware".
So if you don't see return traffic when you use only source-to-destination filter, you definately not capturing on all stages - if I may guess not capturing transmit.
By the way, this is also very good link that, could explain why there is too much noise in your captures (even if your filter is very strict) - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgDCAS
01-05-2022 05:07 PM
The filter had all the required stages. Nothing was missing there. The filter had incorrect values. When filter point was highlighted, I referred below article while correcting the filter to make sure I am not missing anything. Here, it talks about the backup filters so I kept it.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!