tcpdump filters

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

tcpdump filters

L2 Linker

Does anyone know what filters are supported for the tcpdump command on PAN-OS (7.0) ?
For troubelshooting of a Syslog (server) issue, due to large amounts of traffic, I need to capture only packets with syn- or fin/rst-flag set.
Something like this : # tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0

 

Documentation found 'How To Packet Capture (tcpdump) On Management Interface' are sparse, as the filter options very well might be.

2 accepted solutions

Accepted Solutions

L5 Sessionator

Hi,

 

it supports just a limited set of options, I would not even try to do regex on it, I don't try to filter with more than host and port, usually something like what is described in it's help: tcpdump filters - e.g. "src net 67.207.148.0/24 and not port 22".

view-pcap verbose++ yes link-header yes mgmt-pcap mgmt.pcap is second option I use to quickly review directly on the device, omitting or adding more options but generally capturing doesn't go further than host / net / src / dest / port and few such keywords. I haven't experimented but on the other hand mgmt interface will not be really as busy as upstream, right? host and port usually do job for me.

 

To troubleshoot fast-sending syslog I would use snaplen of 1 bytes of data and filter by source ip and dest port (you care just about flags, right? you do not need the whole packet, and I would quit capturing quickly... "rinse and repeat" until you catch enough packets that give you good results?

 

Best regards

 

Luciano

View solution in original post

well... I tested it in my FW and it worked in 6.1.10

 

> tcpdump filter "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C5 packets captured
10 packets received by filter
0 packets dropped by kernel

 

It captured just sync packets which by default are truncated 

https://live.paloaltonetworks.com/t5/Management-Articles/Tcpdump-Packet-Capture-Truncated/ta-p/63047

 

regards,

Gerardo

View solution in original post

7 REPLIES 7

L6 Presenter

Don't know exactly what is allowed. But so far I managed to use only basic tcpdump filters through PAN-OS unfortunately.

 

L5 Sessionator

Hi,

 

it supports just a limited set of options, I would not even try to do regex on it, I don't try to filter with more than host and port, usually something like what is described in it's help: tcpdump filters - e.g. "src net 67.207.148.0/24 and not port 22".

view-pcap verbose++ yes link-header yes mgmt-pcap mgmt.pcap is second option I use to quickly review directly on the device, omitting or adding more options but generally capturing doesn't go further than host / net / src / dest / port and few such keywords. I haven't experimented but on the other hand mgmt interface will not be really as busy as upstream, right? host and port usually do job for me.

 

To troubleshoot fast-sending syslog I would use snaplen of 1 bytes of data and filter by source ip and dest port (you care just about flags, right? you do not need the whole packet, and I would quit capturing quickly... "rinse and repeat" until you catch enough packets that give you good results?

 

Best regards

 

Luciano

HI Luciano

 

Thanks for your reply.

We use management interface as service route for all. Also forward all logs as Syslog to Splunk, and it is the health of this connection I want to check (we do get 'disconnect' messages too often) .

This is a bit like swimming the Niagara upstream, while catching fish,  I assume, therefore filtering beyond host would make sense (syn/fin/rst flaggs)

 

But thanks again anyhow for your solid feedback.

 

-=Tommy=-

well... I tested it in my FW and it worked in 6.1.10

 

> tcpdump filter "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C5 packets captured
10 packets received by filter
0 packets dropped by kernel

 

It captured just sync packets which by default are truncated 

https://live.paloaltonetworks.com/t5/Management-Articles/Tcpdump-Packet-Capture-Truncated/ta-p/63047

 

regards,

Gerardo

Thanks a lot Gereardo.

Seems like I got confused about the use of ' versus "

In my initial example the closing ' was also missing, This was a copy/paste glitch. Honest

 

(there might be a closing ")" in your link that prevents it from being clickable)

How to run TCPDUMP on other interface except mgmt. Anybody has nay idea....

Community Team Member

Hi @aloke1.p,

 

TCPDUMP is specifically for the mgmt interface.

For dataplane interfaces you can use PCAP:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgUCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVoCAK

 

Hope this helps.

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 2 accepted solutions
  • 16854 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!