How to mitigate an abnormal increase in "pkt_recv_short_pkt" global counter
5333
Created On 07/27/23 23:59 PM - Last Modified 08/23/23 18:39 PM
Objective
The counter pkt_recv_short_pkt increments when a packet is received by the firewall with a Packet Size of too small
Below is an example of the global counter pkt_recv_short_pkt incrementing in the firewall:
> show counter global name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_recv_short_pkt 100 100 drop packet pktproc Packet receive short packets
Environment
- PAN-OS
- Global Counters
Procedure
- Take a packet capture on the egress port of the directly-connected device (switch or router) leading to the firewall port which you suspect the abnormally small packets to be entering (i.e. an external packet capture)
- Identify any packets in the capture with an abnormally small total Packet Size (look for any packets under 64 bytes total) which are going into the firewall
Additional Information
Tip: Open the packet capture in Wireshark. Navigate to Statistics > Packet Lengths and identify if there is a high Count value in any of the lower Packet Length rows.
In the Packet Lengths pane, click on the Packet Length column. This will sort the packets by their length, with the smallest Packet Lengths at the top.
Wireshark > Statistics > Packet Length