debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match source <ip> destination-port <port>
debug dataplane packet-diag set filter pre-parsematch yes                                !! Useful for capturing packets before being dropped due to routing
debug dataplane packet-diag set capture stage drop file <capture-drop.pcap>                !! Capture only dropped packets
debug dataplane packet-diag set capture stage receive file <capture-rx.pcap>            !! Capture packets received by the Palo Alto device
debug dataplane packet-diag set capture stage firewall file <capture-fw.pcap>            !! Capture packets passing through IPS, policies, etc.
debug dataplane packet-diag set capture stage transmit file <capture-tx.pcap>            !! Capture packets being transmitted out from the Palo Alto device
debug dataplane packet-diag set capture on
debug dataplane packet-diag show setting                                                !! View your configured capture
view-pcap follow yes filter-pcap <pcap-name>                                            !! tail -f capture file

debug dataplane packet-diag set capture off
debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture all

scp export filter-pcap from <file name> to <username@host:path>                            !! Export capture using SCP

Notes:

  • A maximum number of 4 filters can be defined at one time

Documentation

Next Post Previous Post