Unknown Application Packet Capture

Showing results for 
Search instead for 
Did you mean: 

Unknown Application Packet Capture

Not applicable


I want know about Unknown packet capture.

Q1. Where is unknown pcap stored?

[Device] > [Setup] > [Management] > [ Logging and Reporting Settings]

App Pkt Capture ?

Q2. I want know Unknown Pcap Usage.

Q3. When is capture unknown packet in PA packet flow?



L5 Sessionator

Q1. Where is unknown pcap stored?[Device] > [Setup] > [Management] > [ Logging and Reporting Settings]App Pkt Capture ?

Application PCAPs are stored  at the following path /opt/panlogs/session/pan/application/ .

These  PCAPs will appear in the traffic log as a little green arrow .

You can use the  CLI command view-pcap application-pcap <date>/"   to view the Application pcaps

[Device] > [Setup] > [Management] > [ Logging and Reporting Settings] is where you can alter the Storage Quota for various logs and PCAPs

Q2. I want know Unknown Pcap Usage.

Can be viewed using CLI command :

> show system logdb-quota


             traffic: 32.00%, 38.060 GB

              threat: 16.00%, 19.030 GB

              system: 4.00%, 4.758 GB

              config: 4.00%, 4.758 GB

               alarm: 3.00%, 3.568 GB

               trsum: 7.00%, 8.326 GB

         hourlytrsum: 3.00%, 3.568 GB

          dailytrsum: 1.00%, 1.189 GB

         weeklytrsum: 1.00%, 1.189 GB

               thsum: 2.00%, 2.379 GB

         hourlythsum: 1.00%, 1.189 GB

          dailythsum: 1.00%, 1.189 GB

         weeklythsum: 1.00%, 1.189 GB

             appstat: 6.00%, 7.136 GB

              userid: 1.00%, 1.189 GB

            hipmatch: 3.00%, 3.568 GB

   application-pcaps: 1.00%, 1.189 GB

        threat-pcaps: 1.00%, 1.189 GB

  debug-filter-pcaps: 1.00%, 1.189 GB

         hip-reports: 1.00%, 1.189 GB

            dlp-logs: 1.00%, 1.189 GB

Disk usage:

traffic: Logs: 59M, Index: 14M

threat: Logs: 42M, Index: 12M

system: Logs: 5.6M, Index: 904K

config: Logs: 17M, Index: 184K

alarm: Logs: 20K, Index: 20K

trsum: Logs: 86M, Index: 4.1M

hourlytrsum: Logs: 2.7M, Index: 1.5M

dailytrsum: Logs: 944K, Index: 1.4M

weeklytrsum: Logs: 468K, Index: 224K

thsum: Logs: 192K, Index: 192K

hourlythsum: Logs: 176K, Index: 176K

dailythsum: Logs: 168K, Index: 168K

weeklythsum: Logs: 32K, Index: 32K

appstatdb: Logs: 1.1M, Index: 852K

userid: Logs: 100K, Index: 52K

hipmatch: Logs: 20K, Index: 20K

application-pcaps: 1.4M <<====App PCAP usage

threat-pcaps: 4.0K

debug-filter-pcaps: 12K

dlp-logs: 4.0K

hip-reports: 1.1M

wildfire: 16K

Q3. When is capture unknown packet in PA packet flow?

When PA firewall is unable to identify the application using APP-ID ,the application will be termed as unknown (unknown/-tcp,unknown-udp,non-sysn-tcp).

Following Tech note will give you detailed Information about unknown apps and how to report them to Palto Alto.

L5 Sessionator

The following doc explains about unknow apps


Also following document explains how to request an new application


you can also create an app override for an application that is internal to your network and you know the port numbers


Following doc explains what application override does


Hope this helps.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!