- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-10-2016 02:24 AM
Does anyone know what filters are supported for the tcpdump command on PAN-OS (7.0) ?
For troubelshooting of a Syslog (server) issue, due to large amounts of traffic, I need to capture only packets with syn- or fin/rst-flag set.
Something like this : # tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
Documentation found 'How To Packet Capture (tcpdump) On Management Interface' are sparse, as the filter options very well might be.
03-10-2016 11:40 PM
Hi,
it supports just a limited set of options, I would not even try to do regex on it, I don't try to filter with more than host and port, usually something like what is described in it's help: tcpdump filters - e.g. "src net 67.207.148.0/24 and not port 22".
view-pcap verbose++ yes link-header yes mgmt-pcap mgmt.pcap is second option I use to quickly review directly on the device, omitting or adding more options but generally capturing doesn't go further than host / net / src / dest / port and few such keywords. I haven't experimented but on the other hand mgmt interface will not be really as busy as upstream, right? host and port usually do job for me.
To troubleshoot fast-sending syslog I would use snaplen of 1 bytes of data and filter by source ip and dest port (you care just about flags, right? you do not need the whole packet, and I would quit capturing quickly... "rinse and repeat" until you catch enough packets that give you good results?
Best regards
Luciano
03-16-2016 10:53 AM - edited 03-18-2016 05:16 AM
well... I tested it in my FW and it worked in 6.1.10
> tcpdump filter "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C5 packets captured
10 packets received by filter
0 packets dropped by kernel
It captured just sync packets which by default are truncated
https://live.paloaltonetworks.com/t5/Management-Articles/Tcpdump-Packet-Capture-Truncated/ta-p/63047
regards,
Gerardo
03-10-2016 05:07 AM
Don't know exactly what is allowed. But so far I managed to use only basic tcpdump filters through PAN-OS unfortunately.
03-10-2016 11:40 PM
Hi,
it supports just a limited set of options, I would not even try to do regex on it, I don't try to filter with more than host and port, usually something like what is described in it's help: tcpdump filters - e.g. "src net 67.207.148.0/24 and not port 22".
view-pcap verbose++ yes link-header yes mgmt-pcap mgmt.pcap is second option I use to quickly review directly on the device, omitting or adding more options but generally capturing doesn't go further than host / net / src / dest / port and few such keywords. I haven't experimented but on the other hand mgmt interface will not be really as busy as upstream, right? host and port usually do job for me.
To troubleshoot fast-sending syslog I would use snaplen of 1 bytes of data and filter by source ip and dest port (you care just about flags, right? you do not need the whole packet, and I would quit capturing quickly... "rinse and repeat" until you catch enough packets that give you good results?
Best regards
Luciano
03-11-2016 02:39 AM
HI Luciano
Thanks for your reply.
We use management interface as service route for all. Also forward all logs as Syslog to Splunk, and it is the health of this connection I want to check (we do get 'disconnect' messages too often) .
This is a bit like swimming the Niagara upstream, while catching fish, I assume, therefore filtering beyond host would make sense (syn/fin/rst flaggs)
But thanks again anyhow for your solid feedback.
-=Tommy=-
03-16-2016 10:53 AM - edited 03-18-2016 05:16 AM
well... I tested it in my FW and it worked in 6.1.10
> tcpdump filter "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C5 packets captured
10 packets received by filter
0 packets dropped by kernel
It captured just sync packets which by default are truncated
https://live.paloaltonetworks.com/t5/Management-Articles/Tcpdump-Packet-Capture-Truncated/ta-p/63047
regards,
Gerardo
03-18-2016 12:35 AM - edited 05-26-2016 02:15 AM
Thanks a lot Gereardo.
Seems like I got confused about the use of ' versus "
In my initial example the closing ' was also missing, This was a copy/paste glitch. Honest
(there might be a closing ")" in your link that prevents it from being clickable)
10-04-2018 07:59 AM
How to run TCPDUMP on other interface except mgmt. Anybody has nay idea....
10-04-2018 08:28 AM
Hi @aloke1.p,
TCPDUMP is specifically for the mgmt interface.
For dataplane interfaces you can use PCAP:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgUCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVoCAK
Hope this helps.
Cheers !
-Kiwi.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!