Palo Alto Networks Knowledgebase: How to Get an Application PCAP

How to Get an Application PCAP

3689
Created On 02/08/19 00:03 AM - Last Updated 02/08/19 00:04 AM
Resolution

Steps

To gather a specific application packet capture (PCAP) for troubleshooting, follow these steps to get the information:

  1. Log into the CLI.
  2. Turn on application dump using the set application dump on <option> command. Use one or more of the following criteria to capture a specific application:
    application        Application name
    destination        destination IP address
    destination-port   Destination port
    destination-user   Destination user
    from               From zone
    limit              limit
    protocol           IP protocol value
    rule               Rule name
    source             source IP address
    source-port        Source port
    source-user        Source user
    to                 To zone

    For example:

    > set application dump on application web-browsing source 192.168.1.1 destination 74.12.1.2 destination-port 80
  3. To verify settings, run command:
    > show running application setting
    Application setting:
    Application cache             : yes
    Supernode                     : yes
    Heuristics                    : yes
    Cache Threshold               : 16
    Bypass when exceeds queue limit: yes
    Traceroute appid              : yes
    Traceroute TTL threshold      : 30
    Use cache for appid           : no
    Unknown capture               : on
    Max. unknown sessions         : 5000
    Current unknown sessions      : 0
    Application capture           : on   
    Max. application sessions     : 5000
    Current application sessions  : 0
    Application filter setting:
    From                      : any
    To                        : any
    Source                    : 0:0:0:0:0:0:0:0:0:0:255:255:192:168:1:1
    Destination               : 0:0:0:0:0:0:0:0:0:0:255:255:74:12:1:2
    Protocol                  : any
    Source Port               : any
    Dest. Port                : 80
    Application               : web-browsing
  4. Go to the traffic log in the Web UI. A green arrow displays next to the traffic to download the <application name> PCAP.
  5. Turn off the application dump.
    > set application dump off
  6. Rename the PCAP file with the name of the desired application.

 

owner: jebel



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliPCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language