Palo Alto Networks Knowledgebase: How To Packet Capture (tcpdump) On Management Interface

How To Packet Capture (tcpdump) On Management Interface

76176
Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:06 AM
Mobile Network Infrastructure
Resolution

There may be cases where analysis/verification is required to determine whether traffic is being sent/received via the management interface. One such example would be during authentication testing to verify whether requests are being sent from the device to the LDAP or Radius server. Another example would be to determine whether a device is being polled/reachable through a SNMP server. Starting with PAN-OS 5.0 it is possible to know PCAP traffic to/from the management interface. The option is strictly CLI based utilizing tcpdump.

 

Example below:

As captures are strictly/implicitly utilizing the management interface, there is no need to manually specify interfaces as with a traditional tcpdump. For example:

admin@myNGFW> tcpdump filter "host 10.16.0.106 and not port 22"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

 

Note: Filters must be enclosed in quotes, as in:

> tcpdump filter "host 10.16.0.106 and not port 22"

 

When a capture is complete, press Ctrl-C to stop capturing:

admin@myNGFW> tcpdump filter "host 10.16.0.106 and not port 22"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C 6 packets captured
12 packets received by filter
0 packets dropped by kernel

 

To view the PCAP on the CLI run the view-pcap command. For example:

 

admin@myNGFW> view-pcap mgmt-pcap mgmt.pcap
15:42:57.834414 IP 10.16.0.106.https > 10.192.1.0.61513: P 196197148:196197179(31) ack 2821691363 win 66 <nop,nop,timestamp 9463094 700166797>
15:42:57.834477 IP 10.16.0.106.https > 10.192.1.0.61513: F 31:31(0) ack 1 win 66 <nop,nop,timestamp 9463094 700166797>
15:42:57.834910 IP 10.192.1.0.61513 > 10.16.0.106.https: . ack 31 win 4095 <nop,nop,timestamp 700231236 9463094>
15:42:57.834933 IP 10.192.1.0.61513 > 10.16.0.106.https: . ack 32 win 4095 <nop,nop,timestamp 700231236 9463094>
15:42:58.142807 IP 10.192.1.0.61513 > 10.16.0.106.https: F 1:1(0) ack 32 win 4096 <nop,nop,timestamp 700231542 9463094>
15:42:58.142831 IP 10.16.0.106.https > 10.192.1.0.61513: . ack 2 win 66 <nop,nop,timestamp 9463125 700231542>

 

 

 

Following are a few filter examples (though NOT limited solely to these options) which can be referenced/utilized/applied:

  • Filter By Port
    > tcpdump filter "port 80"
  • Filter By Source IP
    > tcpdump filter "src x.x.x.x"
  • Filter By Destination IP
    > tcpdump filter "dst x.x.x.x"
  • Filter By Host (src & dst) IP
    > tcpdump filter "host x.x.x.x"
  • Filter By Host (src & dst) IP, excluding SSH traffic
    > tcpdump filter "host x.x.x.x and not port 22"

 

Additionally, you can manually export the PCAP via SCP or TFTP, i.e.:

> scp export mgmt-pcap from mgmt.pcap to

  <value>  Destination (username@host:path)

 

> tftp export mgmt-pcap from mgmt.pcap to

  <value>  tftp host

 

Note: By default, there is a maximum limit of 68 bytes (Snap Length) per packet on PA-200, PA-500 and PA-2000. For the PA-3000, PA-4000 and PA-5000, the default limit is 96 bytes per packet. To extend this limit, use the "snaplen" option.

 

admin@myNGFW> tcpdump snaplen 
  <value>  <0-65535> Snarf snaplen bytes of data from each packet. (0 means use the required length to catch whole packets)

admin@myNGFW> tcpdump snaplen 0
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

 

See Also

Tcpdump Packet Capture Truncated

 

owner: bryan



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language