Tips & Tricks: Enabling Packet Captures to Troubleshoot Daemons
Created On 02/07/19 23:52 PM - Last Updated 02/07/19 23:52 PM
The Palo Alto Networks firewall has several daemons that operate in a listening or active mode on the dataplane and that provide different services to your network connected hosts or users. To verify if certain processes are functioning normally, collecting packet captures is a surefire way of making sure requests are received and responded to.
Rather than setting up a 'packet-diag' full packet capture, potentially capturing too much data and needing to filter through large volumes of packets just to get to the interesting bit of information, daemons can be set to perform packet captures on their own processes. This will allow an administrator to simply see what packets are being processed by a single daemon.
The following commands address specific daemons and enable their packet capture feature:
The device server to verify cloud lookups for URL filtering
> debug device-server pcap on
The DHCP daemon
> debug dhcpd pcap on
The IKE manager for GlobalProtect, satellite or site-to-site VPN, phase 1 negotiation
> debug ike pcap on
The Link Layer Discovery Protocol, layer 2 control daemon
> debug l2ctrld lldp pcap on
The captive portal
> debug l3svc pcap on
The PPPoE daemon
> debug pppoed pcap on
The routing engine can collect packet captures depending on the protocol, or all
> delete delete collected pcap files > off disable the packet capture > show shows a list of collected packet capture files > view display the currently active packet capture, if the daemon is set to 'on'
Alternatively, all available debug packet captures can be listed and viewed through the view-pcap command: