command enables you to capture packets that traverse the management
interface (MGT) on a Palo Alto Networks firewall.
platform has a default number of bytes that
The PA-200, PA-500, and PA-2000 Series firewalls capture 68 bytes
of data from each packet and anything over that is truncated. The
PA-3000, PA-4000, PA-5000 Series, the PA-7000 Series firewalls,
and VM-Series firewalls capture 96 bytes of data from each packet.
To define the number of packets that
capture, use the
option (range 0-65535). Setting the
0 will cause the firewall to use the maximum length required to
capture whole packets.
Using a terminal emulation application, such as
PuTTY, launch an SSH session to the firewall.
To start a packet capture on the MGT interface, run the
For example, to capture the traffic that
is generated when and administrator authenticates to the firewall
using RADIUS, filter on the destination IP address of the RADIUS server
(10.5.104.99 in this example):
filter “dst 10.5.104.99” snaplen 0
You can also filter
on src (source IP address), host, net, and you can exclude content. For
example, to filter on a subnet and exclude all SCP, SFTP, and SSH
traffic (which uses port 22), run the following command:
filter “net 10.5.104.0/24 and not port 22” snaplen 0
takes a packet capture,
it stores the content in a file named mgmt.pcap. This file is overwritten
each time you run
After the traffic you are interested in has traversed
the MGT interface, press Ctrl + C to stop the capture.
View the packet capture by running the following command:
The following output shows the packet
capture from the MGT port (10.5.104.98) to the RADIUS server (10.5.104.99):