Take
Packet Captures
All Palo Alto Networks firewalls allow you to take packet
captures (pcaps) of traffic that traverses the management interface
and network interfaces on the firewall. When taking packet captures
on the dataplane, you may need to
Disable Hardware Offload to
ensure that the firewall captures all traffic.
Packet capture is a troubleshooting feature that is rate limited in order to lower the
impact on regular packet processing. If the firewall reaches the packet capture rate
limit, you can view the number of packets that haven't been captured using the global
counter flow_host_vardata_rate_limit_reached.
Due to the way packets are processed in multi-core CPU
platforms, packets captured in the received stage may not always
appear in the same order as they were received by the network.
Packet capture can be very CPU intensive
and can degrade firewall performance. Only use this feature when
necessary and make sure you turn it off after you have collected
the required packets.
When troubleshooting performance issues or
out-of-order related issues, it is recommended that you perform external packet captures
on neighboring devices, such as switch SPAN ports.
