Palo Alto Networks Knowledgebase: How to Run a Packet Capture

How to Run a Packet Capture

(6739 Views)
Created On 09/25/18 19:20 PM - Last Updated 09/25/18 23:09 PM
Categories: 

Issue:


Solution:


Overview

This document describes the basic steps and commands to configure packet captures, to start and stop the captures, and to manipulate the collected capture files. It is intended to provide an overview of the process using the most commonly used options. In order to get a better understanding of the packet captures and all available options, please refer to the following document: Packet Based Troubleshooting - Configuring Packet Captures and Debug Logs.

Details

On the CLI

Create packet filters

    • debug dataplane packet-diag set filter match source <IP_1> destination <IP_2>
    • debug dataplane packet-diag set filter on
    • debug dataplane packet-diag show setting

Note: Up to 4 match criteria can be configured for a given packet capture. If no source or destination IP address is specified, then "any" (0.0.0.0) is assumed.

Define the packet capture stages and the corresponding files

    • debug dataplane packet-diag set capture stage transmit file <filename_transmit>
    • debug dataplane packet-diag set capture stage receive file <filename_receive>
    • debug dataplane packet-diag set capture stage firewall file <filename_firewall>
    • debug dataplane packet-diag set capture stage drop file <filename_drop>

Start the packet captures

    • debug dataplane packet-diag set capture on

Note: Before starting the captures, make sure that the capture filters have been configured and that the filtering is turned on. For example:

admin@PAN-FW> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------

Packet diagnosis setting:

--------------------------------------------------------------------------------

Packet filter

  Enabled:                   yes

  Match pre-parsed packet:   no

  Index 1: 192.168.0.1[0]->10.20.30.1[0], proto 0

           ingress-interface any, egress-interface any, exclude non-IP

--------------------------------------------------------------------------------

Important! Starting a capture without filtering may overload the firewall


Stop the packet capture

    • debug dataplane packet-diag set capture off

View the capture files

    • view-pcap filter-pcap <filename>

To view the capture file in real-time while the capture is running, use the following command:

    • view-pcap follow yes filter-pcap <filename>

Export the capture files

    • scp export filter-pcap from <file> to <SCP_serv>
    • <SCP_Serv> = user@server:path
    • tftp export filter-pcap from <file> to <tftp_Server_addr>

Clear the packet filters and captures

    • debug dataplane packet-diag set filter off
    • debug dataplane packet-diag clear filter all
    • debug dataplane packet-diag clear capture all


On the WebUI

  1. Go to Monitoring > Packet Capture
  2. Create and Enable a Packet Filter:

    step2.JPG

  3. Create stages to capture packets and specify file names:

    step3.JPG

  4. Click OK to enable captures

    step4.JPG

  5. Download the capture file(s) via HTTP by clicking on the corresponding links after refreshing the capture page.

    step5.JPG

owner: skrall

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVoCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: