Palo Alto Networks Knowledgebase: What is The Limitation of the Packet Capture File Size on PAN-OS?

What is The Limitation of the Packet Capture File Size on PAN-OS?

4237
Created On 02/07/19 23:38 PM - Last Updated 02/07/19 23:38 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

To control capture file size, PAN-OS works with 2 files per stage acting as ring buffers. Once the original "filename.pcap" reaches 200MB, it will be renamed to "filename.pcap.1" and a new "filename.pcap" is created. If "filename.pcap.1" already exists, then it will be overwritten when the current 'filename.pcap' file is reaches the 200MB file size. This means that, at maximum, PAN-OS will keep the last 400MB of PCAP information.

The limit of 200MB cannot be modified in PAN-OS. In order to alleviate the amount of traffic captured; the snaplen parameter can be modified in order to limit packet size (40-65535 bytes):

> debug dataplane packet-diag set capture snaplen <40-65535>

owner: nbilly



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3uCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language