Palo Alto Networks Knowledgebase: Packet Capture Contains Traffic not Defined in Filter

Packet Capture Contains Traffic not Defined in Filter

4535
Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:05 AM
Content Release Deployment
Resolution

Issue

The packet capture contains traffic that does not match the filter defined.

Resolution

This can be caused by a few different issues.

  • If pre-parse match is enabled, some traffic that does not match the packet-filter may be captured. This option should only be used for advanced troubleshooting.
  • The packet-filter 'tags' matching sessions.¬† The tags will remain until the session has been removed¬† from the the session table. Because of this functionality there may be cases when old sessions are showing in the packet captures even after the filter has been changed.¬† For example, a filter is configured that matches 100 active sessions. A new filter is configured while the same 100 sessions are active. Any captures taken will contain the original 100 session and any additional session that are matched with the new filter. To prevent the original 100 session from being captured, the session would need to be manually cleared.

    From PAN-OS 6.0 and above, the packet capture tag can be cleared using one of the following commands:
    • > debug dataplane packet-diag clear filter-marked-session all
    • > debug dataplane packet-diag clear filter-marked-session id <value>

owner: sspringer



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgDCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language