Focus

Next-Generation Firewall

Take Packet Captures

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Use the Compromised Hosts Widget in the ACC

Types of Packet Captures

Take Packet Captures

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)	Support license (`Panorama`) Device management license

All Palo Alto Networks firewalls allow you to take packet captures (pcaps) of traffic that traverses the management interface and network interfaces on the firewall. When taking packet captures on the dataplane, you may need to Disable Hardware Offload to ensure that the firewall captures all traffic.

Packet capture is a troubleshooting feature that is rate limited in order to lower the impact on regular packet processing. If the firewall reaches the packet capture rate limit, you can view the number of packets that haven't been captured using the global counter flow_host_vardata_rate_limit_reached.

Due to the way packets are processed in multi-core CPU platforms, packets captured in the received stage may not always appear in the same order as they were received by the network.

Packet capture can be very CPU intensive and can degrade firewall performance. Only use this feature when necessary and make sure you turn it off after you have collected the required packets.

When troubleshooting performance issues or out-of-order related issues, it is recommended that you perform external packet captures on neighboring devices, such as switch SPAN ports.

Palo Alto Networks firewalls offer various types of packet captures to suit different troubleshooting needs:

Disable Hardware Offload: This is a crucial step for ensuring comprehensive captures on the dataplane.
Take a Custom Packet Capture: This allows a highly granular control over the capture parameters, such as specifying interfaces, filters (IP addresses, ports, protocols), and capture duration.
Take a Threat Packet Capture: This specialized capture focuses on traffic related to detected threats, providing forensic data for security investigations.
Take an Application Packet Capture: This type of capture helps in understanding application behavior and troubleshooting application-specific issues by focusing on traffic associated with particular applications.
Take a Packet Capture on the Management Interface: This is useful for troubleshooting issues related to management plane access, such as GUI connectivity or syslog forwarding.

Use the Compromised Hosts Widget in the ACC

Types of Packet Captures

Next-Generation Firewall Docs

Take Packet Captures

Next-Generation Firewall Docs

Take Packet Captures

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner