Packet captures on a Palo Alto Networks firewall are performed in the dataplane CPU, unless you configure the firewall to Take a Packet Capture on the Management Interface, in which case the packet capture is performed on the management plane. When a packet capture is performed on the dataplane, during the ingress stage, the firewall performs packet parsing checks and discards any packets that do not match the packet capture filter. Any traffic that is offloaded to the field-programmable gate array (FPGA) offload processor is also excluded, unless you turn off hardware offload. For example, encrypted traffic (SSL/SSH), network protocols (OSPF, BGP, RIP), application overrides, and terminating applications can be offloaded to the FPGA and therefore are excluded from packet captures by default. Some types of sessions will never be offloaded, such as ARP, all non-IP traffic, IPSec, VPN sessions, SYN, FIN, and RST packets.
Hardware offload is supported on the following firewalls: PA-2000 Series, PA-3050, PA-3060, PA-4000 Series, PA-5000 Series, and PA-7000 Series firewall.
Disabling hardware offload increases the dataplane CPU usage. If dataplane CPU usage is already high, you may want to schedule a maintenance window before disabling hardware offload.
Enable/Disable Hardware Offload
Disable hardware offload by running the following CLI command: admin@PA-7050> set session offload no
After the firewall captures the required traffic, enable hardware offload by running the following CLI command: admin@PA-7050> set session offload yes

Related Documentation