All Palo Alto Networks firewalls have a built-in packet capture (pcap) feature you can use to capture packets that traverse the network interfaces on the firewall. You can then use the captured data for troubleshooting purposes or to create custom application signatures.
The packet capture feature is CPU-intensive and can degrade firewall performance. Only use this feature when necessary and make sure to turn it off after you have collected the required packets.
What do you want to know? See:
What are the different methods the firewall can use to capture packets? Packet Capture Overview
How do I generate a custom packet capture? Building Blocks for a Custom Packet Capture
How do I generate packet captures when the firewall detects a threat? Enable Threat Packet Capture
Where do I download a packet capture? Packet Capture Overview
Looking for more?
Turn on extended packet capture for security profiles. Device > Setup > Content-ID.
Use packet capture to write custom application signatures. See Doc-2015. Note that this example uses a third-party app, but you can use the firewall to capture the required packets.
Prevent a firewall admin from viewing packet captures. Define Web Interface Administrator Access .
See an example. See Take Packet Captures .
Packet Capture Overview
You can configure a Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture.
Custom Packet Capture—Capture packets for all traffic or traffic based on filters that you define. For example, you can configure the firewall to capture only packets to and from a specific source and destination IP address or port. These packet captures are used to troubleshoot network traffic related issues or to gather application attributes to write custom application signatures. You configure this type of packet capture in Monitor > Packet Capture. You define the file name based on the stage (Drop, Firewall, Receive Transmit) and after the pcap is complete, you download the pcap in the Captures Files section. Threat Packet Capture—Capture packets when the firewall detects a virus, spyware, or vulnerability. You enable this feature in Antivirus, Anti-Spyware, and Vulnerability Protection security profiles. These packet captures provide context around a threat to help you determine if an attack is successful or to learn more about the methods used by an attacker. The action for the threat must be set to allow or alert, otherwise the threat is blocked and packets cannot be captured. You configure this type of packet capture in the Objects > Security Profiles. To download ( ) pcaps, select Monitor > Threat.
Building Blocks for a Custom Packet Capture
The following table describes the components of the Monitor > Packet Capture page that you use to configure packet captures, enable packet capture, and to download packet capture files.
Custom Packet Capture Building Blocks Configured In Description
Manage Filters Configure Filtering When enabling custom packet captures, you should define filters so that only the packets that match the filters are captured. This will make it easier to locate the information you need in the pcaps and will reduce the processing power required by the firewall to perform the packet capture. Click Add to add a new filter and configure the following fields: Id —Enter or select an identifier for the filter. Ingress Interface —Select the ingress interface on which you want to capture traffic. Source —Specify the source IP address of the traffic to capture. Destination —Specify the destination IP address of the traffic to capture. Src Port —Specify the source port of the traffic to capture. Dest Port —Specify the destination port of the traffic to capture. Proto —Specify the protocol number to filter (1-255). For example, ICMP is protocol number 1. Non-IP —Choose how to treat non-IP traffic (exclude all IP traffic, include all IP traffic, include only IP traffic, or do not include an IP filter). Broadcast and AppleTalk are examples of Non-IP traffic. IPv6 —Select this option to include IPv6 packets in the filter.
Filtering Configure Filtering After defining filters, set the Filtering to ON. If filtering is OFF, then all traffic is captured.
Pre-Parse Match Configure Filtering This option is for advanced troubleshooting purposes. After a packet enters the ingress port, it proceeds through several processing steps before it is parsed for matches against pre-configured filters. It is possible for a packet, due to a failure, to not reach the filtering stage. This can occur, for example, if a route lookup fails. Set the Pre-Parse Match setting to ON to emulate a positive match for every packet entering the system. This allows the firewall to capture packets that do not reach the filtering process. If a packet is able to reach the filtering stage, it is then processed according to the filter configuration and discarded if it fails to meet filtering criteria.
Packet Capture Configure Capturing Click the toggle switch to turn packet capture ON or OFF. You must select at least one capture stage. Click Add and specify the following: Stage —Indicate the point at which to capture packets: drop —When packet processing encounters an error and the packet is dropped. firewall —When the packet has a session match or a first packet with a session is successfully created. receive —When the packet is received on the dataplane processor. transmit —When the packet is transmitted on the dataplane processor. File —Specify the capture file name. The file name should begin with a letter and can include letters, digits, periods, underscores, or hyphens. Byte Count —Specify the maximum number of bytes, after which capturing stops. Packet Count —Specify the maximum number of packets, after which capturing stops.
Captured Files Captured Files Contains a list of custom packet captures previously generated by the firewall. Click a file to download it to your computer. To delete a packet capture, select the packet capture and then Delete it. File Name —Lists the packet capture files. The file names are based on the file name you specify for the capture stage Date —Date the file was generated. Size (MB) —The size of the capture file. After you turn on packet capture and then turn it off, you must click Refresh ( ) before any new pcap files display in this list.
Clear All Settings Settings Click Clear All Settings to turn off packet capture and to clear all packet capture settings. Note that this does not turn off packet capture set in a security profile. For information on enabling packet capture on a security profile, see Enable Threat Packet Capture.
Enable Threat Packet Capture
To enable the firewall to capture packets when it detects a threat, enable the packet capture option in the security profile.
First select Objects > Security Profiles and then modify the desired profile as described in the following table.
Packet Capture Option in Security Profiles Location
Antivirus Select a custom antivirus profile and, in the Antivirus tab, select Packet Capture.
Anti-Spyware Select a custom Anti-Spyware profile, click the DNS Signatures tab and, in the Packet Capture drop-down, select single-packet or extended-capture.
Vulnerability Protection Select a custom Vulnerability Protection profile and, in the Rules tab, click Add to add a new rule or select an existing rule. Then select the Packet Capture drop-down and select single-packet or extended-capture.
In Anti-Spyware and Vulnerability Protection profiles, you can also enable packet capture on exceptions. Click the Exceptions tab and in the Packet Capture column for a signature, click the drop-down and select single-packet or extended-capture.
(Optional) To define the length of a threat packet capture based on the number of packets captured (and which is based on a global setting), select Device > Setup > Content-ID and, in the Content-ID Settings section, modify the Extended Packet Capture Length (packets field) (range is 1-50; default is 5).
After you enable packet capture on a security profile, you need to verify that the profile is part of a security rule. For information on how to add a security profile to a security rule, see Security Policy Overview.
Each time the firewall detects a threat when packet capture is enabled on the security profile, you can download ( ) or export the packet capture.

Related Documentation