What are these mysterious pcaps?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

What are these mysterious pcaps?

Not applicable


I've noticed a boatload of application-pcaps - between 5-15k, on days where they are captured.  There are captures from most days, but not every day.

As far as I know, I don't have any traffic captures enabled.  All of the following show that captures are disabled:

1. debug dataplane packet-diag show setting (capture and logs disabled on all dataplanes)

2. show running application setting (unknown capture and application capture are disabled)

3. debug ike pcap show (no ipsec config anyhow)

What else could be triggering these captures?  Maybe they are used as a part of some firewall feature?

This is on PA-5060 running 6.0.5.



L5 Sessionator

Hi rvandegrift

Where are you seeing these captures ? I think these might be getting captured due to one of the security profiles like for some of the threat pcap/extended pcap takes place.


That's it - it looks like we have an AV profile that has a capture set for some hits.  Thanks!


Hello Ross,

You may check the configured AV profile, in casepcapenabled on it.



Hope this helps.


I thought this was it, but nope - I disabled the AV profile packet capture yesterday, but there are thousands of new pcaps today:

admin@firewall(active-primary)> view-pcap application-pcap 20141217/

Display all 16625 possibilities? (y or n)

I've exported the device config and the Panorama config to grep through.  All capture options are disabled in both places.

Are there conditions under which a device might capture packets anyhow?


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!