How to Capture Traffic (PCAP) Hitting a Specific Rule
Resolution
Details
To enable packet capture for a specific rule:
- Log into the CLI and run the following command:
> set application dump on rule allow_all
Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: yes
Unknown capture : on
Max. unknown sessions : 5000
Current unknown sessions : 0
Application capture : on
Max. application sessions : 5000
Current application sessions : 0
Application filter setting:
From : any
To : any
Source : any
Destination : a
Protocol : any
Source Port : any
Dest. Port : any
Application : any
Current APPID Signature
Signagure Usage : 29 MB (Max. 32 MB)
TCP 1 C2S : 10551 states
TCP 1 S2C : 4880 states
TCP 2 C2S : 14988 states
TCP 2 S2C : 6142 states
UDP 1 C2S : 6514 states
UDP 1 S2C : 2774 states
UDP 2 C2S : 9782 states
UDP 2 S2C : 2036 states
- By default, the firewall also captures traffic considered "unknown" or "insufficient data." To turn off this automatic capture until the next reboot, run the following command:
> set application dump-unknown no
Note: This setting will reset when the device is rebooted.
- To make the settings persist through a reboot, use the following commands:
> configure # set deviceconfig setting application dump-unknown off # commit
- Go to the traffic log in the WebGUI
- Click the green arrow next to the traffic log to download the PCAP, as shown in the example:
- To turn off the application dump once the PCAPs are retrieved
> set application dump off
owner: ppatel