Take Packet Captures
Focus
Focus

Take Packet Captures

Table of Contents

Take Packet Captures

All Palo Alto Networks firewalls allow you to take packet captures (pcaps) of traffic that traverses the management interface and network interfaces on the firewall. When taking packet captures on the dataplane, you may need to Disable Hardware Offload to ensure that the firewall captures all traffic.
Packet capture is a troubleshooting feature that is rate limited in order to lower the impact on regular packet processing. If the firewall reaches the packet capture rate limit, you can view the number of packets that haven't been captured using the global counter flow_host_vardata_rate_limit_reached.
Due to the way packets are processed in multi-core CPU platforms, packets captured in the received stage may not always appear in the same order as they were received by the network.
Packet capture can be very CPU intensive and can degrade firewall performance. Only use this feature when necessary and make sure you turn it off after you have collected the required packets.
When troubleshooting performance issues or out-of-order related issues, it is recommended that you perform external packet captures on neighboring devices, such as switch SPAN ports.