This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

unknown traffic pcaps just stopped happening one day around 2 weeks ago

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

unknown traffic pcaps just stopped happening one day around 2 weeks ago

DanielWaites
L0 Member

‎10-14-2022 09:05 AM

I have a PA-460 that stopped doing pcaps for unknown traffic about two weeks ago.  I played around with the application dump setting and I think I may have broken something:

 

Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: no
Traceroute appid : yes
Traceroute TTL threshold : 30
Use cache for appid : no
Use simple appsigs for ident : yes
Use AppID cache on SSL/SNI : no
Unknown capture : on
Max. unknown sessions : 5000
Current unknown sessions : 0
Application capture : off

Current APPID Signature
Memory Usage : 4736 KB (Actual 4398 KB)
TCP 1 C2S : lscan db size 944448
TCP 1 S2C : lscan db size 727736
UDP 1 C2S : lscan db size 1086504
UDP 1 S2C : lscan db size 332968

Alternate APPID Signature
Memory Usage : 4736 KB (Actual 4396 KB)
TCP 1 C2S : lscan db size 944128
TCP 1 S2C : lscan db size 727736
UDP 1 C2S : lscan db size 1086056
UDP 1 S2C : lscan db size 332968

 

However, if I do view-pcap application-pcap, the last date for an unknown application is around 2 weeks ago.  I may have set an application dump rule at that time; I can't remember for sure.  To verify, I started a netcat session in order to generate an unknown-tcp session, and checked the "current unknown sessions" counter.  It was still 0 while the netcat session was up, even though the unknown-tcp session was visible in the session browser.  I do realize that the firewall only samples unknowns and doesn't capture every session, but it doesn't seem to be capturing any.  Is there something I can do to get unknown-tcp pcaps working again?

0 Likes Likes
1 REPLY 1

DanielWaites
L0 Member

‎10-14-2022 09:07 AM

For reference, this is 10.1.6-h6 on PA-460

0 Likes Likes
  • 1292 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks