What is The Limitation of the Packet Capture File Size on PAN-OS?

What is The Limitation of the Packet Capture File Size on PAN-OS?

34946
Created On 09/26/18 19:16 PM - Last Modified 06/13/23 03:56 AM


Resolution


To control capture file size, PAN-OS works with 2 files per stage acting as ring buffers. Once the original "filename.pcap" reaches 200MB, it will be renamed to "filename.pcap.1" and a new "filename.pcap" is created. If "filename.pcap.1" already exists, then it will be overwritten when the current 'filename.pcap' file is reaches the 200MB file size. This means that, at maximum, PAN-OS will keep the last 400MB of PCAP information.

The limit of 200MB cannot be modified in PAN-OS. In order to alleviate the amount of traffic captured; the snaplen parameter can be modified in order to limit packet size (40-65535 bytes):

> debug dataplane packet-diag set capture snaplen <40-65535>

owner: nbilly
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3uCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language