This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

What are these mysterious pcaps?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What are these mysterious pcaps?

rvandegrift
Not applicable

‎12-16-2014 02:01 PM

Hello,

I've noticed a boatload of application-pcaps - between 5-15k, on days where they are captured.  There are captures from most days, but not every day.

As far as I know, I don't have any traffic captures enabled.  All of the following show that captures are disabled:

1. debug dataplane packet-diag show setting (capture and logs disabled on all dataplanes)

2. show running application setting (unknown capture and application capture are disabled)

3. debug ike pcap show (no ipsec config anyhow)

What else could be triggering these captures?  Maybe they are used as a part of some firewall feature?

This is on PA-5060 running 6.0.5.

Ross

Labels:
0 Likes Likes
4 REPLIES 4

bat
L5 Sessionator

‎12-16-2014 02:04 PM

Hi rvandegrift

Where are you seeing these captures ? I think these might be getting captured due to one of the security profiles like for some of the threat pcap/extended pcap takes place.

Thanks

rvandegrift
Not applicable
In response to bat

‎12-16-2014 02:12 PM

That's it - it looks like we have an AV profile that has a capture set for some hits.  Thanks!

Ross

0 Likes Likes

HULK
L7 Applicator
In response to rvandegrift

‎12-16-2014 10:18 PM

Hello Ross,

You may check the configured AV profile, in casepcapenabled on it.

Example:

AV-profile.JPG

Hope this helps.

Thanks

0 Likes Likes

rvandegrift
Not applicable
In response to bat

‎12-17-2014 02:27 PM

I thought this was it, but nope - I disabled the AV profile packet capture yesterday, but there are thousands of new pcaps today:

admin@firewall(active-primary)> view-pcap application-pcap 20141217/

Display all 16625 possibilities? (y or n)

I've exported the device config and the Panorama config to grep through.  All capture options are disabled in both places.

Are there conditions under which a device might capture packets anyhow?

Ross

0 Likes Likes
  • 3133 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks