Tips & Tricks: Enabling Packet Captures to Troubleshoot Daemons

Tips & Tricks: Enabling Packet Captures to Troubleshoot Daemons

Created On 09/25/18 18:59 PM - Last Modified 02/07/19 23:52 PM


The Palo Alto Networks firewall has several daemons that operate in a listening or active mode on the dataplane and that provide different services to your network connected hosts or users. To verify if certain processes are functioning normally, collecting packet captures is a surefire way of making sure requests are received and responded to.


Rather than setting up a 'packet-diag' full packet capture, potentially capturing too much data and needing to filter through large volumes of packets just to get to the interesting bit of information, daemons can be set to perform packet captures on their own processes. This will allow an administrator to simply see what packets are being processed by a single daemon.


The following commands address specific daemons and enable their packet capture feature:


The device server to verify cloud lookups for URL filtering

> debug device-server pcap on 

The DHCP daemon

> debug dhcpd pcap on

The IKE manager for GlobalProtect, satellite or site-to-site VPN, phase 1 negotiation

> debug ike pcap on

The Link Layer Discovery Protocol,  layer 2 control daemon

> debug l2ctrld lldp pcap on

The captive portal

> debug l3svc pcap on

The PPPoE daemon

> debug pppoed pcap on

The routing engine can collect packet captures depending on the protocol, or all

> debug routing pcap 
> all
> bgp
> igmp
> ospf
> ospfv3
> pim
> rip

The pcap command comes with a few more options:

> delete              delete collected pcap files
> off disable the packet capture
> show shows a list of collected packet capture files
> view display the currently active packet capture, if the daemon is set to 'on'


Alternatively, all available debug packet captures can be listed and viewed through the view-pcap command:

admin@myNGFW> view-pcap debug-pcap 
dhcp-vr-0.pcap.pipe ds-url-reqs-vr-0.pcap ds-url-reqs-vr-0.pcap.pipe ikemgr.pcap dhcp-vr-0.pcap
admin@myNGFW> view-pcap debug-pcap dhcp-vr-0.pcap
10:54:26.446461 IP > BOOTP/DHCP, Request from 00:0c:29:5a:9e:1b (oui Unknown), length: 300
10:54:27.452142 IP > UDP, length 336


Packet captures can also be exported via SCP or TFTP so they can be viewed via wireshark

> scp export debug-pcap from dhcp-vr-0.pcap to admin@


Like learning about packet captures to troubleshoot daemons? Thumbs up below?



  • Print
  • Copy Link

Choose Language