How to take a tcpdump on the logging interface (bond1) of a PA-5450

• Palo Alto PA-5450 Firewall
• Supported PAN-OS

1. To take a tcpdump on the logging interface (bond1),  define the bond interface in the tcpdump command.
2. The following are the available tcpdump arguments on a PA-5450:

> tcpdump
+ filter      tcpdump filters - e.g. "src net 10.20.1.0/24 and not port 22"
+ interface   Select interface to dump
+ snaplen     Snarf snaplen bytes of data from each packet. (0 means use the required length to catch whole packets)
  <Enter>     Finish input

3. An example of a complete command is below:

> tcpdump interface bond1 filter "port 514"

Press Ctrl-C to stop capturing

4. The tcpdump command on the PA-5450s does not support using more than 2 arguments. If you use 3 arguments, you will get the error Unsupported number of arguments as below:

> tcpdump snaplen 0 interface bond1 filter "port 80"
Press Ctrl-C to stop capturing
Unsupported number of arguments

5. The tcpdump is saved to the mgmt.pcap file on the firewall. You can upload the mgmt.pcap file to the TAC case using either of the methods below:
   1. Method 1: Download the mgmt.pcap file via the firewall GUI (if available on the PAN-OS version) under the 'Device > Support > Debug and Management PCAP Files > Download Debug and Management PCAP Files' menu. Then upload the file to the TAC case using the Customer Support Portal.
      
      
   2. Method 2: Use the SCP export CLI command to upload the mgmt.pcap file directly to the TAC case:

scp export mgmt-pcap from mgmt.pcap to xxxxxxxx@tacupload.paloaltonetworks.com:./

• • xxxxxxxx will be the case number, including leading zeros. Example: 00654321@tacupload.paloaltonetworks.com:./
  • When prompted, the password will be the email address under which the case was opened.

• PA-5450 Hardware Reference for MPC card
• How To Packet Capture (tcpdump) On Management Interface
• You can view information about the bond1 Logging Interface under CLI command show interface management.