Take a Packet Capture on the Management Interface

The tcpdump CLI command enables you to capture packets that traverse the management interface (MGT) on a Palo Alto Networks firewall.
Each platform has a default number of bytes that tcpdump captures. The PA-220 firewalls capture 68 bytes of data from each packet and anything over that is truncated. The PA-3000, the PA-7000 Series firewalls, and VM-Series firewalls capture 96 bytes of data from each packet. To define the number of packets that tcpdump will capture, use the snaplen (snap length) option (range 0-65535). Setting the snaplen to 0 will cause the firewall to use the maximum length required to capture whole packets.
  1. Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
  2. To start a packet capture on the MGT interface, run the following command:
    admin@PA-220>tcpdump filter “<filter-option> <IP-address>” snaplen length
    For example, to capture the traffic that is generated when and administrator authenticates to the firewall using RADIUS, filter on the destination IP address of the RADIUS server (10.5.104.99 in this example):
    admin@PA-220>tcpdump filter “dst 10.5.104.99” snaplen 0
    You can also filter on src (source IP address), host, net, and you can exclude content. For example, to filter on a subnet and exclude all SCP, SFTP, and SSH traffic (which uses port 22), run the following command:
    admin@PA-220>tcpdump filter “net 10.5.104.0/24 and not port 22” snaplen 0
    Each time tcpdump takes a packet capture, it stores the content in a file named mgmt.pcap. This file is overwritten each time you run tcpdump.
  3. After the traffic you are interested in has traversed the MGT interface, press Ctrl + C to stop the capture.
  4. View the packet capture by running the following command:
    admin@PA-220> view-pcap mgmt-pcap mgmt.pcap
    The following output shows the packet capture from the MGT port (10.5.104.98) to the RADIUS server (10.5.104.99):
    09:55:29.139394 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id: 0x00 length: 89
    	09:55:29.144354 arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown) 
    	09:55:29.379290 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id: 0x00 length: 70 
    	09:55:34.379262 arp who-has 10.5.104.99 tell 10.5.104.98 
  5. (Optional) Export the packet capture from the firewall using SCP (or TFTP). For example, to export the packet capture using SCP, run the following command:
    admin@PA-220>scp export mgmt-pcap from mgmt.pcap to <username@host:path>
    For example, to export the pcap to an SCP enabled server at 10.5.5.20 to a temp folder named temp-SCP, run the following CLI command:
    admin@PA-220>scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP
    Enter the login name and password for the account on the SCP server to enable the firewall to copy the packet capture to the c:\temp-SCP folder on the SCP-enabled.
  6. You can now view the packet capture files using a network packet analyzer, such as Wireshark.

Related Documentation