unknown traffic pcaps just stopped happening one day around 2 weeks ago

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

unknown traffic pcaps just stopped happening one day around 2 weeks ago

L0 Member

I have a PA-460 that stopped doing pcaps for unknown traffic about two weeks ago.  I played around with the application dump setting and I think I may have broken something:

 

Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: no
Traceroute appid : yes
Traceroute TTL threshold : 30
Use cache for appid : no
Use simple appsigs for ident : yes
Use AppID cache on SSL/SNI : no
Unknown capture : on
Max. unknown sessions : 5000
Current unknown sessions : 0
Application capture : off

Current APPID Signature
Memory Usage : 4736 KB (Actual 4398 KB)
TCP 1 C2S : lscan db size 944448
TCP 1 S2C : lscan db size 727736
UDP 1 C2S : lscan db size 1086504
UDP 1 S2C : lscan db size 332968

Alternate APPID Signature
Memory Usage : 4736 KB (Actual 4396 KB)
TCP 1 C2S : lscan db size 944128
TCP 1 S2C : lscan db size 727736
UDP 1 C2S : lscan db size 1086056
UDP 1 S2C : lscan db size 332968

 

However, if I do view-pcap application-pcap, the last date for an unknown application is around 2 weeks ago.  I may have set an application dump rule at that time; I can't remember for sure.  To verify, I started a netcat session in order to generate an unknown-tcp session, and checked the "current unknown sessions" counter.  It was still 0 while the netcat session was up, even though the unknown-tcp session was visible in the session browser.  I do realize that the firewall only samples unknowns and doesn't capture every session, but it doesn't seem to be capturing any.  Is there something I can do to get unknown-tcp pcaps working again?

1 REPLY 1

L0 Member

For reference, this is 10.1.6-h6 on PA-460

  • 1291 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!