Take a Packet Capture on the Management Interface
The tcpdump CLI command enables you to capture packets that traverse the management interface (MGT) on a Palo Alto Networks firewall.
Each platform has a default number of bytes that tcpdump captures. The PA-200 and PA-500 firewalls capture 68 bytes of data from each packet and anything over that is truncated. The PA-3000, PA-5000 Series, the PA-7000 Series firewalls, and VM-Series firewalls capture 96 bytes of data from each packet. To define the number of packets that tcpdump will capture, use the snaplen (snap length) option (range 0-65535). Setting the snaplen to 0 will cause the firewall to use the maximum length required to capture whole packets.
- Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
- To start a packet capture on the MGT interface, run the
admin@PA-200>tcpdump filter “<filter-option> <IP-address>” snaplen lengthFor example, to capture the traffic that is generated when and administrator authenticates to the firewall using RADIUS, filter on the destination IP address of the RADIUS server (10.5.104.99 in this example):
admin@PA-200>tcpdump filter “dst 10.5.104.99” snaplen 0You can also filter on src (source IP address), host, net, and you can exclude content. For example, to filter on a subnet and exclude all SCP, SFTP, and SSH traffic (which uses port 22), run the following command:
admin@PA-200>tcpdump filter “net 10.5.104.0/24 and not port 22” snaplen 0Each time tcpdump takes a packet capture, it stores the content in a file named mgmt.pcap. This file is overwritten each time you run tcpdump.
- After the traffic you are interested in has traversed the MGT interface, press Ctrl + C to stop the capture.
- View the packet capture by running the following command:
admin@PA-200> view-pcap mgmt-pcap mgmt.pcapThe following output shows the packet capture from the MGT port (10.5.104.98) to the RADIUS server (10.5.104.99):
09:55:29.139394 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id: 0x00 length: 89 09:55:29.144354 arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown) 09:55:29.379290 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id: 0x00 length: 70 09:55:34.379262 arp who-has 10.5.104.99 tell 10.5.104.98
- (Optional) Export the packet capture from the
firewall using SCP (or TFTP). For example, to export the packet
capture using SCP, run the following command:
admin@PA-200>scp export mgmt-pcap from mgmt.pcap to <username@host:path>For example, to export the pcap to an SCP enabled server at 10.5.5.20 to a temp folder named temp-SCP, run the following CLI command:
admin@PA-200>scp export mgmt-pcap from mgmt.pcap to firstname.lastname@example.org:c:/temp-SCPEnter the login name and password for the account on the SCP server to enable the firewall to copy the packet capture to the c:\temp-SCP folder on the SCP-enabled.
- You can now view the packet capture files using a network packet analyzer, such as Wireshark.
Take a Packet Capture for Unknown Applications
Take a Packet Capture for Unknown Applications Palo Alto Networks firewalls automatically generate a packet capture for sessions that contain an application that it cannot ...
Take a Custom Application Packet Capture
Take a Custom Application Packet Capture You can configure a Palo Alto Networks firewall to take a packet capture based on an application name and ...
Take a Threat Packet Capture
Take a Threat Packet Capture To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, ...
Building Blocks for a Custom Packet Capture
Building Blocks for a Custom Packet Capture The following table describes the components of the Monitor Packet Capture page that you use to configure packet ...
Disable Hardware Offload
Disable Hardware Offload Packet captures for traffic passing through the network data ports on a Palo Alto Networks firewall are performed by the dataplane CPU. ...
Take a Custom Packet Capture
Take a Custom Packet Capture Custom packet captures allow you to define the traffic that the firewall will capture. To ensure that you capture all ...
Types of Packet Captures
Types of Packet Captures There are four different types of packet captures you can enable, depending on what you need to do: Custom Packet Capture ...
Packet Capture Overview
Packet Capture Overview You can configure a Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture. Custom Packet Capture ...
Take an Application Packet Capture
Take an Application Packet Capture The following topics describe two ways that you can configure the firewall to take application packet captures: Take a Packet ...