How to take a tcpdump on the logging interface (bond1) of a PA-5450

• Palo Alto PA-5450 Firewall
• Supported PAN-OS

1. To take a tcpdump on the logging interface (bond1),  define the bond interface in the tcpdump command.
2. The following are the available tcpdump arguments on a PA-5450:

> tcpdump
+ filter      tcpdump filters - e.g. "src net 10.20.1.0/24 and not port 22"
+ interface   Select interface to dump
+ snaplen     Snarf snaplen bytes of data from each packet. (0 means use the required length to catch whole packets)
  <Enter>     Finish input

3. An example of the complete command is below.

> tcpdump interface bond1 filter "port 514"

Press Ctrl-C to stop capturing

4. The tcpdump command on the PA-5450s does not support using more than 2 arguments. If you use 3 arguments, you will get error Unsupported number of arguments as below:

> tcpdump snaplen 0 interface bond1 filter "port 80"
Press Ctrl-C to stop capturing
Unsupported number of arguments

5. The tcpdump is saved to the mgmt.pcap file on the firewall.
6. Use SCP to upload the mgmt.pcap file to a SFDC case is to use scp export:

scp export mgmt-pcap from mgmt.pcap to xxxxxxxx@tacupload.paloaltonetworks.com:./

• xxxxxxxx will be the case number, including leading zeros. Example: 00654321@tacupload.paloaltonetworks.com:./
• When prompted, the password will be the email address under which the case was opened.

7. The mgmt.pcap can also be downloaded via the GUI (if available on the PAN-OS version) under the Device > Support > Debug and Management PCAP Files menu by clicking the Download Debug and Management PCAP Files link.
   
   

• PA-5450 Hardware Reference for MPC card
• How To Packet Capture (tcpdump) On Management Interface
• You can view information about the bond1 Logging Interface under CLI command show interface management.