Palo Alto Networks Knowledgebase: Packet Capture, Debug Flow-basic and Counter Commands

Packet Capture, Debug Flow-basic and Counter Commands

38994
Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:05 AM
Resolution

Before Starting:

  • Check for any configured filters using the command below. Make note of any filters, so that they can be restored later, if needed.
> debug dataplane packet-diag show setting
  • Clear all packet capture settings:
> debug dataplane packet-diag clear all 
  • Clear debug log:
debug dataplane packet-diag clear log log

• Clear all previously marked sessions:

> debug dataplane packet-diag clear filter-marked-session all 

• In order to capture all packets in offloaded sessions, offload may need to be temporarily disabled.

Important!
Review the following document before disabling offload:
Disabling Session Offload to Record Traffic During

 

Packet Capture Traditional PCAP:

  • Set a filter to control what traffic is captured:
> debug dataplane packet-diag set filter match <criteria>  
> debug dataplane packet-diag set filter on

• Enable Packet Capture:

> debug dataplane packet-diag set capture stage receive file rx.pcap 
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on
  • View the Packet Capture:
> view-pcap filter-pcap rx.pcap

 

• Export the Packet Capture in PCAP format (SCP or TFTP):

> scp export filter-pcap from fw.pcap to username@host:path 
> tftp export filter-pcap from fw.pcap to <tftp host>

 

• Delete the PCAP file(s):

> delete debug-filter file <filename>

Application Dump PCAP:

• Turn on application dump for the app:

> set application dump on application bittorent <other criteria>  
  • View the Packet Capture:
> view-pcap application-pcap fw.pcap (or through monitor tab in GUI) 

Export the Packet Capture in PCAP format (SCP or TFTP):

> scp export application-pcap from fw.pcap to username@host:path
> tftp export application-pcap from fw.pcap to <tftp host>

Debug PCAP (IKE, DHCP, RPD) 

  • Turn on debug packet capture:
> debug ike pcap on debug dhcp pcap on (etc...) 
  • View the Packet Capture:
> view-pcap debug-pcap fw.pcap 
  • Export the Packet Capture in PCAP format (SCP or TFTP):
> scp export debug-pcap from fw.pcap to username@host:path 
> tftp export debug-pcap from fw.pcap to <tftp host>

 

Debug Flow Basic

Important: This can increase CPU usage. Always use filters 

• Set a filter to control what traffic is logged:

> debug dataplane packet-diag set filter match <criteria>
> debug dataplane packet-diag set filter on
  • Enable debug logging:
> debug dataplane packet-diag set log feature flow basic 
> debug dataplane packet-diag set log on
  • Capture traffic, then immediately disable logging:
> debug dataplane packet-diag set log off 
  • View the debug log:
> debug dataplane packet-diag aggregate-logs (PAN-OS 5.0 and later only, 
wait 10-15 seconds after disabling log)
> less dp-log pan_packet_diag.log

 

Note: For PA-5000 series, instead of dp-log use dp0-log, dp1-log or dp2-log. For PA-200, use mp-log

 

Show Drop Counters: 

• Set a filter to control what traffic is counted:

> debug dataplane packet-diag set filter on 
> debug dataplane packet-diag set filter match <criteria>
  • Show the drop counters (absolute or relative to last time command was run):
> show counter global filter packet-filter yes | match drop 
> show counter global filter severity drop packet-filter yes delta yes

owner: vcappuccio



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clf1CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language