Palo Alto Networks Knowledgebase: Packet Capture Stops Working When Changing Files

Packet Capture Stops Working When Changing Files

Created On 02/07/19 23:45 PM - Last Updated 02/07/19 23:46 PM
URL Filtering


New packet capture data is not being generated. Only the old PCAP data is being captured.


The Palo Alto Networks firewall will tag the session if it is captured through the PCAP function. The firewall will be able to tag the new filtered data coming in only when the session or tag on session is cleared.


Prior to the release of PAN-OS 6.0, if a packet capture filter is run and it triggered an already established long-lived session, and then you wanted to change your filter to capture other traffic, you would still get packets matching the original filter in your capture. The only way to prevent this is to either wait for the sessions in question to age out or to clear all affected sessions. Clear sessions matching the previous filtered data with the following command:

> clear session id <id_value>

In PAN-OS 6.0, a feature was added to the debug command, this allows clearing that flag from a specific session or from all sessions:

> debug dataplane packet-diag clear filter-marked-session ( all|id )

If an ID is specified, the session ID can be put to clear just that flag. If ALL is specified, it will clear the flag from all sessions. This will not affect the sessions themselves.

owner: nayubi

  • Print
  • Copy Link

Choose Language