Take a Packet Capture on the Management Interface
tcpdumpCLI command enables you to capture packets that traverse the management interface (MGT) on a Palo Alto Networks firewall.
Each platform has a default number of bytes that
tcpdumpcaptures. The PA-200 and PA-500 firewalls capture 68 bytes of data from each packet and anything over that is truncated. The PA-3000, PA-5000 Series, the PA-7000 Series firewalls, and VM-Series firewalls capture 96 bytes of data from each packet. To define the number of packets that
tcpdumpwill capture, use the
snaplen(snap length) option (range 0-65535). Setting the
snaplento 0 will cause the firewall to use the maximum length required to capture whole packets.
- Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
- To start a packet capture on the MGT interface, run the following command:admin@PA-200>tcpdump filter “<filter-option> <IP-address>” snaplen lengthFor example, to capture the traffic that is generated when and administrator authenticates to the firewall using RADIUS, filter on the destination IP address of the RADIUS server (10.5.104.99 in this example):admin@PA-200>tcpdump filter “dst 10.5.104.99” snaplen 0You can also filter on src (source IP address), host, net, and you can exclude content. For example, to filter on a subnet and exclude all SCP, SFTP, and SSH traffic (which uses port 22), run the following command:admin@PA-200>tcpdump filter “net 10.5.104.0/24 and not port 22” snaplen 0Each timetcpdumptakes a packet capture, it stores the content in a file named mgmt.pcap. This file is overwritten each time you runtcpdump.
- After the traffic you are interested in has traversed the MGT interface, press Ctrl + C to stop the capture.
- View the packet capture by running the following command:admin@PA-200>view-pcap mgmt-pcap mgmt.pcapThe following output shows the packet capture from the MGT port (10.5.104.98) to the RADIUS server (10.5.104.99):09:55:29.139394 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id: 0x00 length: 89 09:55:29.144354 arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown) 09:55:29.379290 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id: 0x00 length: 70 09:55:34.379262 arp who-has 10.5.104.99 tell 10.5.104.98
- (Optional) Export the packet capture from the firewall using SCP (or TFTP). For example, to export the packet capture using SCP, run the following command:admin@PA-200>scp export mgmt-pcap from mgmt.pcap to<username@host:path>For example, to export the pcap to an SCP enabled server at 10.5.5.20 to a temp folder named temp-SCP, run the following CLI command:admin@PA-200>scp export mgmt-pcap from mgmt.pcap to email@example.com:c:/temp-SCPEnter the login name and password for the account on the SCP server to enable the firewall to copy the packet capture to the c:\temp-SCP folder on the SCP-enabled.
- You can now view the packet capture files using a network packet analyzer, such as Wireshark.