09-18-2023 08:28 AM
Hello,
I need to capture what passes through a VPN site-to-site tunnel. I'd like to see the tunnel and not the ESP.
With tcpdump you can use the command "tcpdump -i enc0" which decrypts the ESP.
On Palo Alto, what is the equivalent command? Because with view-pcap follow yes filter-pcap <filename> I can only see the ESP.
Thanks
09-18-2023 11:26 AM
Hi @GuillaumeV ,
With view-pcap command you can review the captures that are done when debugging/troubleshooting VPN negotiation.
To capture traffic passing through the firewall you need to use the Packet capture feature - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0
Above link goes into details how to define packet capture filter. If you filter based on the private IP address you will capture unencrypted. If you add filter for remote IPsec peer IP, you will capture the encrypted ESP traffic as well.
09-18-2023 11:26 AM
Hi @GuillaumeV ,
With view-pcap command you can review the captures that are done when debugging/troubleshooting VPN negotiation.
To capture traffic passing through the firewall you need to use the Packet capture feature - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0
Above link goes into details how to define packet capture filter. If you filter based on the private IP address you will capture unencrypted. If you add filter for remote IPsec peer IP, you will capture the encrypted ESP traffic as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
