This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Packet Captures issues

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Packet Captures issues

Go to solution
d.spider
L2 Linker

‎12-29-2021 11:22 PM

Hello Friends 

 

I am trying to take packet captures on my firewall. But in captures I do not see all the packets. What may be the issue? Am I missing anything?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
SutareMayur
L6 Presenter

‎12-30-2021 04:52 AM - edited ‎12-30-2021 04:54 AM

Hi @d.spider ,

As you said you are not seeing all the packets in the capture, can you confirm what type of filter you have kept for the capture? 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

View solution in original post

0 Likes Likes
8 REPLIES 8

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎12-30-2021 12:00 AM

Thank you for post @d.spider

 

the first thing I would suspect is session offloading:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldYCAS

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
d.spider
L2 Linker

‎12-30-2021 03:20 AM

Hi @PavelK ,

 

Thanks for your response.

Is that applicable to all firewall models? I see specific platforms in the article and mine is not listed there (PA 800 series).

0 Likes Likes

Go to solution
SutareMayur
L6 Presenter

‎12-30-2021 04:52 AM - edited ‎12-30-2021 04:54 AM

Hi @d.spider ,

As you said you are not seeing all the packets in the capture, can you confirm what type of filter you have kept for the capture? 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
0 Likes Likes

Go to solution
d.spider
L2 Linker
In response to SutareMayur

‎12-30-2021 08:54 PM

That’s a great point Sutare. Let me verify it as it was not set by me.

0 Likes Likes

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎01-01-2022 06:30 PM

Thank you for reply @d.spider

 

I went through all documentation and it always states that session offloading is supported from PA-30XX/32XX series and higher, however I was looking into one of my PA-850 and I can see: "ctd decoder bypass" for some sessions:

 

PavelK_0-1641089799769.png

Even though it is not mentioned in documentation session offloading for PA-800 series seems supported.

 

If you determined that session offloading is not an issue in your scenario, then as Sutare mentioned maybe an issue is related to filters.

 

Another thing that comes to my mind is, only new sessions will be recorded after packet capture is enabled, so you will not be able to capture traffic for sessions that are already established. Also, make sure to configure all stages to be sure you do not miss anything:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Go to solution
d.spider
L2 Linker

‎01-02-2022 11:09 PM

Hi @PavelK ,

 

Thanks for the explanation. The issue is resolved now. It was due to wrong filter. When I put filter from S2D and D2S, I can see all the packets captured in the pcap file. My mistake! I didn’t checked filter settings earlier.

 

Thank you @SutareMayur for pointing out it.

0 Likes Likes

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to d.spider

‎01-04-2022 11:59 PM

Hi @d.spider ,

You don't actually need to put filter for return traffic in order to capture it. I am guessing that @PavelK  was right and you don't capture on all stages. I would suggest you to take more detailed look on link that @PavelK  share.

 

Filters in packet capture are not working, the same way you imagine. Filter is not filtering packets, it is actually used to "tag" sessions. Based on the source and destination, firewall will search its connection table and tag any session that match the filter. Packets that belongs to tagged session will be captured. Or as the previous link explain it - "filters are session aware".

 

So if you don't see return traffic when you use only source-to-destination filter, you definately not capturing on all stages - if I may guess not capturing transmit.

 

By the way, this is also very good link that, could explain why there is too much noise in your captures (even if your filter is very strict) - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgDCAS

 

0 Likes Likes

Go to solution
d.spider
L2 Linker

‎01-05-2022 05:07 PM

Hi @aleksandar.astardzhiev ,

 

The filter had all the required stages. Nothing was missing there. The filter had incorrect values. When filter point was highlighted, I referred below article while correcting the filter to make sure I am not missing anything. Here, it talks about the backup filters so I kept it.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

0 Likes Likes
  • 1 accepted solution
  • 5884 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks