How to do tcpdump packet capture on the management interface and upload it using tac upload service?

How to do tcpdump packet capture on the management interface and upload it using tac upload service?

6086
Created On 03/07/23 00:14 AM - Last Modified 04/09/25 20:42 PM


Objective


To capture the packets on management interface using tcpdump and upload it using the tac upload service.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Tcpdump

Procedure


  1. The tcpdump command by default is utilizes the management interface and there is no need to specify the interface. Here is the example.:
admin@PA-VM-Primary(active)> tcpdump filter "host updates.paloaltonetworks.com and not port 22"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

Example2:

admin@PA-VM-Primary(active)> tcpdump snaplen 0
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C102 packets captured
102 packets received by filter
0 packets dropped by kernel
  1. To export the log to any server, one can use scp
scp export log-file management-plane to username@host:path
  1. scp can also be used to upload the file to TAC upload server.

scp export mgmt-pcap from mgmt.pcap to case number@tacupload.paloaltonetworks.com:./
  • Your username is your case number.
  • Your password is the email address associated with your case.
  1. To view the PCAP on the CLI run the view-pcap command.
admin@PA-VM-Primary(active)> view-pcap mgmt-pcap mgmt.pcap

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sb1OCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail