How to capture real-time traffic and export this information from the ION device in Prisma SDWAN?

• Prisma SDWAN
• ION devices
• Packet captures

Login to the CLI mode of the ION device and execute the following commands:

1. To see the real-time traffic:

ION1# tcpdump <PORT> args="host <source IP> and host <destination IP> and port <xx>" show

ION1# tcpdump 2 args="host 10.20.x.x..48981 and host 170.72.x.x and port 443" show
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
23:54:28.951886 IP 10.20.x.x.45375 > 170.72.x.x.443: Flags [S], seq 4166557383, win 64240, options [mss 1460,sackOK,TS val 3529167363 ecr 0,nop,wscale 11], length 0
23:54:28.951920 IP 10.20.x.x..48981 > 170.72.x.x..443: Flags [S], seq 531038, win 64240, options [mss 1460,sackOK,TS val 2176548343 ecr 0,nop,wscale 11],length 0
23:54:28.951936 IP 10.20.x.x.51435 > 170.72.x.x.443: Flags [S], seq 3789873231, win 64240, options [mss 1460,sackOK,TS val 1949882579 ecr 0,nop,wscale 11], length 0
23:54:28.951952 IP 10.20.x.x.43649 > 170.72.x.x.443: Flags [S], seq 31616372, win 64240, options [mss 1460,sackOK,TS val 3698974089 ecr 0,nop,wscale 11], length 0

2. To capture and save the traffic:

ION1# tcpdump <PORT> args="host <source IP> and host <destination IP> and port 443" save file= <filename>.pcap

ION1# tcpdump 1 args="host 10.20.x.x and host 170.72.x.x and port 443" save file=testfile.pcap 

Saving...
Press CTR+C to stop.
tcpdump: listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes
^C0 packets captured
0 packets received by filter
0 packets dropped by kernel
1 packet dropped by interface

3. To export the log file from the ION device:

ION1# file export <PORT> <filename> scp://user@host:location

ION1# file export controller testfile.pcap scp://user@host[:port]:location