PCAP Debug Logs-rev D

Packet Based Troubleshooting Configuring packet captures and debug logs Tech Note PAN-OS 4.1 and later

Revision D ©2013, Palo Alto Networks, Inc. www.paloaltonetworks.com

Contents

Overview ................................................................................................................................................................................. 3

PAN-OS 5.0 updates ................................................................................................................................................................ 3

Management PCAPs ............................................................................................................................................................. 3 Viewing Management PCAPS........................................................................................................................................... 3 Exporting Management PCAPs ........................................................................................................................................ 4

Debug Dataplane Changes ................................................................................................................................................... 4

Packet filter, capture and debug logs........................................................................................................................................ 4

Section 1: Packet filters ............................................................................................................................................................ 5

Configuring packet filters ..................................................................................................................................................... 5 Filter match conditions ......................................................................................................................................................... 5

Configuring packet filter match ........................................................................................................................................ 5 Viewing the packet filter ................................................................................................................................................... 6 Clearing a filter ................................................................................................................................................................. 6 Pre-parse-match ................................................................................................................................................................ 6

Section 2: Packet captures ........................................................................................................................................................ 7

Configuring packet capture-CLI ........................................................................................................................................... 7 Packet capture stage ............................................................................................................................................................. 7 Trigger captures ................................................................................................................................................................... 8 Capture file .......................................................................................................................................................................... 8 Viewing and deleting PCAP .................................................................................................................................................. 8 Clearing capture ................................................................................................................................................................... 9 Configuring packet capture-Web Management .................................................................................................................... 9

PCAP examples ...................................................................................................................................................................... 11

Case1: Traffic without NAT .............................................................................................................................................. 11 Case 2: Traffic with Source NAT ....................................................................................................................................... 11

Section 3: Debug log .............................................................................................................................................................. 14

Configuring packet log ....................................................................................................................................................... 14 Viewing debug log .............................................................................................................................................................. 14 Clearing debug log file ....................................................................................................................................................... 15

Debug log example ................................................................................................................................................................ 15

Clear debug log file ......................................................................................................................................................... 15

Disable debug ........................................................................................................................................................................ 16

Summary ................................................................................................................................................................................ 17

Revision History ................................................................................................................................................................... 18

©2013, Palo Alto Networks, Inc. [2]

Overview The purpose of this document is provide background information on PAN-OS 3.1 and later Packet Filtering, Capture and Debug Log functionality as well as recommended workflow when using those features in problem diagnostics. The commands covered in this document is applicable to all the hardware platforms

PAN-OS 5.0 updates

Management PCAPs PAN-OS 5.0 provides the ability to run TCPDUMP to monitor and capture traffic on the out-of-band management interface on all hardware platforms. TCPDUMP is run by typing the command “tcpdump” from CLI. admin@PA-200> tcpdump Press Ctrl-C to stop capturing tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes TCPDUMP filter can also be applied to limit the capture to specific traffic. Example below shows using some of the common filters tcpdump filter "port 443"- Captures traffic to destination port 443 tcpdump filter "not port 443"- Captures traffic to destination port not equal to 443 tcpdump filter "src host 10.1.1.9"- Captures traffic from source IP 10.1.1.9 tcpdump filter "src host not 10.1.1.9"- Captures traffic from source IP is not equal to 10.1.1.9 tcpdump filter "src net 192.168.1.0/24 and port 443"- Captures traffic from source subnet 192.168.1.0/24 and port 443 tcpdump filter "src host 10.1.1.9 or 10.1.1.10"- Captures traffic from source IP 10.1.1.9 or 10.1.1.10 tcpdump filter "src host (10.1.1.9 or 10.1.1.10) and port 443"- Captures traffic from source IP 10.1.1.9 or 10.1.1.10 and destination port 443 tcpdump filter "proto 6 and port 443"- Captures all TCP traffic traffic to destination port 443 tcpdump filter "proto 1 and src net 10.1.1.0/24"- Captures ICMP traffic to destination from source networks 10.1.1.0/24

Viewing Management PCAPS The management PCAPS can be viewed using the “view-pcap mgmt-pcap mgmt.pcap” command. Every time TCPDUMP is run, the file old mgmt.pcap file is overwritten with new packet captures. admin@PA-200> view-pcap mgmt-pcap mgmt.pcap 18:49:54.757809 IP 10.1.1.9.50833 > 192.168.1.1.https: P 3878859509:3878860271(762) ack 3184641665 win 10073 18:49:54.757916 IP 192.168.1.1.https > 10.1.1.9.50833: . ack 762 win 501 18:49:54.797103 IP 192.168.1.1.https > 10.1.1.9.50833: P 1:486(485) ack 762 win 501 18:49:54.810471 IP 10.1.1.9.50833 > 192.168.1.1.https: P 762:1460(698) ack 486 win 9952 18:49:54.810530 IP 192.168.1.1.https > 10.1.1.9.50833: . ack 1460 win 501 18:49:54.867814 IP 192.168.1.1.https > 10.1.1.9.50833: P 486:971(485) ack 1460 win 501 18:49:54.873693 IP 10.1.1.9.50833 > 192.168.1.1.https: P 1460:2222(762) ack 971 win 10220 18:49:54.873760 IP 192.168.1.1.https > 10.1.1.9.50833: . ack 2222 win 501


Exporting Management PCAPs Management PCAPs can be exported using SCP or TFTP. The syntax for using SCP and TFTP is shown below scp export mgmt-pcap from mgmt.pcap to user@hostname:/path tftp export mgmt-pcap from mgmt.pcap to <host>

Debug Dataplane Changes 1. On PA-200 all debug logs are now stored in the file pan_task_1.log. To view debug logs use the command “tail

follow yes mp-log pan_task_1.log” or “less mp-log pan_task_1.log” 2. In PAN-OS 5.0 and later, you can run a command to aggregate the dataplane logs into one log file. After the debug

logs have been collected, disable the flow basic debug and then run the following command: debug dataplane packet-diag aggregate-logs. This command will result in all dataplane logs to be aggregated to packet-diag. This is helpful on PA-5000 Series where there are multiple dataplanes. You can then view the aggregated logs collected from all of the dataplanes in one single file.

Example of enabling debug log in PAN-OS 5.0 is shown below: debug dataplane packet-diag clear log log debug dataplane packet-diag set filter match source 172.16.100.87 destination 172.16.101.100 destination-port 21 protocol 6 debug dataplane packet-diag set filter on debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on To aggregate the dataplane logs, disable the debug logs and then wait about a minute to allow the logs to be fully written and then run: debug dataplane packet-diag aggregate-logs. This will combine the dataplane logs into a single file named single pan_packet_diag.log file.

Packet filter, capture and debug logs In PAN-OS 3.1 and later packet filtering, logging and packet capturing have been separated and subsequently, configuration operational commands are grouped under three distinct areas:

• Packet filter • Packet capture • Debug logs

All of these functions can be configured, viewed and cleared using the operational mode command debug dataplane packet-diag

admin@PA-4050> debug dataplane packet-diag > clear Clear packet-related diagnosis parameters > set Set packet-related debugging parameters > show Show packet-related diagnosis information


This document is divided into the following sections:

1. Packet Filters 2. Packet Captures 3. Debug Logs

Section 1: Packet filters Very seldom is there a single flow through the firewall at any given time. When trying to diagnose problems, it is important to define filters to minimize the performance degradation and to ensure other extraneous data is not captured. PAN-OS supports configuring packet filters to define interesting traffic. The packet filters can be applied to accomplish the following:

• Enable packet capture at multiple capturing points • Track global counter changes • Enable packet debug logging

Configuring packet filters The debug dataplane packet-diag set filter command is used to turn on/off and define the match condition for packet filters admin@PA-4050> debug dataplane packet-diag set filter > match specify debug filter > off Disable debug filter > on Enable debug filter > pre-parse-match Match value for packet before parsing Packet filter is enabled using the command “debug dataplane packet-diag set filter on”

Filter match conditions Packet filters can be configured the match on the following options:

• Source and destination IP address • Source and destination ports • IP protocol • Ingress interface • Include, exclude or capture only non-IP

A maximum of four filters can be configured on the firewall. All the parameters within a filter must match within a packet for it to be captured. When multiple filters are configured, packets matching any of packet filters will be captured.

Configuring packet filter match The examples below show different packet filter match statements Match a source IP address admin@PA-4050> debug dataplane packet-diag set filter match source 1.1.1.5 Match source and destination IP address, destination port and IP protocol. In this example all the parameters defined in the filter must match for the packet to be captured - i.e. the source IP, destination IP, port and the protocol in the packet must match to trigger the filter.


admin@PA-4050> debug dataplane packet-diag set filter match source 1.1.1.5 destination 2.1.1.5 destination-port 80 protocol 6

Viewing the packet filter The packet filters configured can be viewed using the command debug dataplane packet-diag show setting admin@PA-4050> debug dataplane packet-diag show setting ------------------------------------------------------------------------- Packet diagnosis setting: ------------------------------------------------------------------------- Packet filter Enabled: yes Match pre-parsed packet: no Index 1: 1.1.1.50[0]->0.0.0.0[0], proto 0 ingress-interface any, egress-interface any, exclude non-IP Index 2: 1.1.1.5[0]->2.1.1.5[80], proto 6 ingress-interface any, egress-interface any, exclude non-IP ------------------------------------------------------------------------- Logging Enabled: no Log-throttle: no Aggregate-to-single-file: yes Features: ------------------------------------------------------------------------- Packet capture Enabled: no ------------------------------------------------------------------------- In the above example, there are two packet filters configured. The packets matching either one of the filters are captured.

Clearing a filter PAN-OS device supports four concurrent filters to be configured. Existing filters must be removed in order to configure new filters. Filters are referenced by index numbers. To clear a filter use the command debug dataplane packet-diag clear filter admin@PA-4050> debug dataplane packet-diag clear filter all Delete all filters <value> <1-4> Filter index

Note: The filters are not renumbered if a filter is cleared.

Pre-parse-match The pre-parse-match option is added for advanced troubleshooting purposes. From the moment packet enters ingress port it has to go through number of processing steps before it gets parsed for match against pre-configured filters. Therefore, it is entirely possible that packet, due to some failure, never gets to filtering stage. Typical example would be route lookup – if this fails, a packet will never reach the filter (although interface counters can be used to quickly identify this error condition). Setting pre-parse-match emulates positive match for every packet entering the system so we can capture even those packets that don’t make it to filtering process. If packet does manage to get through to the filtering stage, it is then processed according to filter configuration and match is discarded if packet fails to meet filtering criteria. By default pre-parsed packets are not matched. To enable pre-parse match use the command admin@PA-4050(active)> debug dataplane packet-diag set filter pre-parse-


match yes

Section 2: Packet captures PAN-OS supports capturing packet that be analyzed later for troubleshooting, or for detecting unknown applications. Only the packets that match the filters are captured. The PCAPs are locally stored on the device in user-defined file. The PCAP file can be viewed from the CLI or copied to an external host to view using a PCAP utility. The PCAPS have a 1% disk usage quota with a minimum storage space size of 100MB for each type

Configuring packet capture-CLI To enable packet capture and to set the capture options use the operational mode command debug dataplane packet-diag set capture. admin@PA-4050> debug dataplane packet-diag set capture > off Disable debug capture > on Enable debug capture > stage Packet capture at processing stage > trigger Packet capture triggered by event To enable packet capture use the command debug dataplane packet-diag set capture on

Packet capture stage Packets can be captured at different packet processing stages. User may specify capture PCAP file attributes for the following points admin@PA-4050> debug dataplane packet-diag set capture stage > drop Drop stage > firewall Firewall stage > receive Receive stage > transmit Transmit stage

• drop: when packet processing encounters an error and this packet will be discarded • firewall: packet has a session match, or a first packet with session successfully created • receive: packet received on dataplane CPU • transmit: packet is to be transmitted on dataplane CPU

The receive and transmit stage capture can be viewed as shown in the figure shown below

A: First packet from a source host received by the firewall B: First packet transit transmitted after processing C: Response packet received. This is response to the packet sent out in stage B D: Response packet sent to the end host.

You can also define the maximum number of bytes to capture and also the maximum packets to be captured for each stage.


Trigger captures Packet capture is conditional for a given session, it starts when triggering event occurs. Currently the only trigger event is “application”, which means to trigger when the application changes from one to another.. For example when user access gmail, the session starts off as web-browsing and then switches to gmail. It is possible to define the max byte count before the filter stops capturing, and also the max packets to be captured. A packet match filter is required for application trigger to capture packets. admin@PA-4050> debug dataplane packet-diag set capture trigger application + byte-count Max. byte count before filter stops + packet-count Max. packet count before filter stops * file Saved file name * from From application * to To application

Capture file PCAPs are stored in the file defined by the user. Files can be defined for each packet capture stage and/or triggered captures. Multiple stages for PCAP can be enabled simultaneously. The command for setting capture file is shown debug dataplane packet-diag set capture stage <drop/firewall/receive/transmit> file <file name> debug dataplane packet-diag set capture trigger application from <application name> to <application name> file <file name> Note: If you are capturing packets at different stages, it recommended having a separate PCAP file for each stage of the capture

Viewing and deleting PCAP The PCAP file can be viewed using the command view-pcap. The command syntax is view-pcap filter-pcap <file name> You can view all the file names using “?” in place of the filename. The view-pcap command provides user with lots of different options to view the PCAP. Some of the options include, hex, hex-ascii, no-dns-lookup, no-port-lookup. To view the complete option list, use “?” as the first argument after “view-pcap”. To view the PCAP with options use the following command: view-pcap <option> yes filter-pcap <file name> To view the pcap in real time use the command view-pcap follow yes filter-pcap <file name>


The pcap file can also be exported to an external host to be viewed using any PCAP viewing utility. TFTP and SCP are the supported methods. scp export filter-pcap from <file name> to <username@host:path> tftp export filter-pcap from <file name> to <destination IP> Note: The PCAP file is created only when the traffic traverses the firewall. To delete the PCAP files use the command delete debug-filter file <file name>

Clearing capture To clear capture use the debug dataplane packet-diag clear command. More specific options to clear a particular stage and trigger are also available admin@PA-4050> debug dataplane packet-diag clear capture > all all > stage Capture at processing stage > trigger Capture triggered by event

Configuring packet capture-Web Management Starting with PAN-OS 4.0 packet capture can be configured from the Web management. In order to configure packet capture, navigate to Monitor>Packet Capture You must first set the filters before enabling packet capture. To enabled filter, set filtering to ON and click on Manage Filters


From the Capture Files section, set capture to ON and click on “add” to add capture file and stage. The PCAP file will be created when traffic traverses the firewall. PCAPs can be viewed from the right hand pane of the PCAP window.


PCAP examples

Case1: Traffic without NAT In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100 The workflow for enabling PCAP is as follows:

1. Apply the packet filters for the source and destination 2. Enable the packet filter 3. Specify the packet capture stage and the file 4. Enable packet capture 5. Initiate traffic between the hosts 6. Disable packet capture 7. Analyze the PCAP

debug dataplane packet-diag set filter match source 172.16.100.87 destination 172.16.101.100 destination-port 21 protocol 6 debug dataplane packet-diag set filter on debug dataplane packet-diag set capture stage firewall file ftp-pcap debug dataplane packet-diag set capture on Initiate traffic debug dataplane packet-diag set capture off admin@PA-4050> view-pcap filter-pcap ftp-pcap reading from file /opt/panlogs/session/pan/filters/ftp-pcap, link-type EN10MB (Ethernet) 22:25:59.892789 IP 172.16.100.87.44833 > 172.16.101.100.ftp: S 2264517141:2264517141(0) win 5840 <mss 1460,sackOK,timestamp 730886 439 0,nop,wscale 7> 22:25:59.892980 IP 172.16.101.100.ftp > 172.16.100.87.44833: S 3138829586:3138829586(0) ack 2264517142 win 17520 <mss 1460,nop,wsc ale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> 22:25:59.893066 IP 172.16.100.87.44833 > 172.16.101.100.ftp: . ack 1 win 46 <nop,nop,timestamp 730886440 0> 22:25:59.895180 IP 172.16.101.100.ftp > 172.16.100.87.44833: P 1:43(42) ack 1 win 17520 <nop,nop,timestamp 6975543 730886440> 22:26:11.324835 IP 172.16.100.87.42430 > 172.16.101.100.carrius-rshell: S 2290456784:2290456784(0) win 5840 <mss 1460,sackOK,times tamp 730897872 0,nop,wscale 7>

Case 2: Traffic with Source NAT In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100. The source 172.16.100.87 is translated using dynamic-ip to egress interface IP of 172.16.101.1. Packets are captured at receive stage, firewall stage and transmit stage, with each stage configured with its own PCAP file. admin@PA-4050> debug dataplane packet-diag show setting ------------------------------------------------------------------------- Packet diagnosis setting:


------------------------------------------------------------------------- Packet filter Enabled: yes Match pre-parsed packet: no Index 1: 172.16.100.87[0]->172.16.101.100[21], proto 6 ingress-interface any, egress-interface any, exclude non-IP ------------------------------------------------------------------------- Logging Enabled: no Log-throttle: no Aggregate-to-single-file: yes Features: ------------------------------------------------------------------------- Packet capture Enabled: yes Stage receive : file ftp-rx byte-count 0 packet-count 0 Stage firewall : file ftp-fw byte-count 0 packet-count 0 Stage transmit : file ftp-tx byte-count 0 packet-count 0 ------------------------------------------------------------------------- In the example the IP address and the port numbers of the packet are as shown Original packet

Source IP/port Destination IP/port

172.16.100.87/32919 172.16.101.100/21

Translated packet

Source IP/port Destination IP/port

172.16.101.1/43828 172.16.101.100/21

When NAT is configured, it is important to note the source and destination IP addresses of the packet at different capture points. Receive and firewall stage: Receive and firewall stage always captures pre NAT addresses The first packet received by the firewall will have source IP/port= 172.16.100.87/32919 and the destination IP/port=172.16.101.100/21. This is the original packet The response packet will have source IP/port=172.16.101.100/21 destination IP/port=172.16.101.1/43828. This is original response packet. PCAP at receive stage admin@PA-4050> view-pcap filter-pcap ftp-rx reading from file /opt/panlogs/session/pan/filters/ftp-rx, link-type EN10MB (Ethernet) 17:42:03.364844 IP 172.16.100.87. 32919 > 172.16.101.100.ftp: S 1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370 0,nop,wscale 7>


17:42:03.366965 IP 172.16.101.100.ftp > 172.16.101.1.43828: S 3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale 0,nop,nop,times tamp 0 0,nop,nop,sackOK> 17:42:03.367102 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack 3378337396 win 46 <nop,nop,timestamp 1059470374 0> 17:42:03.382249 IP 172.16.101.100.ftp > 172.16.101.1.43828: P 1:43(42) ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374> 17:42:03.382756 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack 43 win 46 <nop,nop,timestamp 1059470389 10260900> PCAP at firewall stage admin@PA-4050> view-pcap filter-pcap ftp-fw reading from file /opt/panlogs/session/pan/filters/ftp-fw, link-type EN10MB (Ethernet) 17:42:03.365056 IP 172.16.100.87.32919 > 172.16.101.100.ftp: S 1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370 0,nop,wscale 7> 17:42:03.367013 IP 172.16.101.100.ftp > 172.16.101.1.43828: S 3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale 0,nop,nop,times tamp 0 0,nop,nop,sackOK> 17:42:03.367152 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack 3378337396 win 46 <nop,nop,timestamp 1059470374 0> 17:42:03.382293 IP 172.16.101.100.ftp > 172.16.101.1.43828: P 1:43(42) ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374> Transmit stage: Receive and firewall stage always captures post NAT addresses The first packet transmitted by the firewall will have source IP/port=172.16.101.1/43828 and the destination IP/port=172.16.101.100/21, i.e. the translated packet The response packet transmitted by the firewall will have source IP/port=172.16.101.100/21 and destination IP/port=172.16.100.87/32919. The destination IP is the IP that is translated to the original address from the response packet PCAP at transmit stage admin@PA-4050> view-pcap filter-pcap ftp-tx reading from file /opt/panlogs/session/pan/filters/ftp-tx, link-type EN10MB (Ethernet) 17:42:03.365129 IP 172.16.101.1.43828 > 172.16.101.100.ftp: S 1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370 0,nop,wscale 7 > 17:42:03.367057 IP 172.16.101.100.ftp > 172.16.100.87.32919: S 3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> 17:42:03.367196 IP 172.16.101.1.43828 > 172.16.101.100.ftp: . ack 3378337396 win 46 <nop,nop,timestamp 1059470374 0> 17:42:03.382689 IP 172.16.101.100.ftp > 172.16.100.87.32919: P 1:43(42) ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374> 17:42:03.382816 IP 172.16.101.1.43828 > 172.16.101.100.ftp: . ack 43 win 46 <nop,nop,timestamp 1059470389 10260900> 17:42:03.383092 IP 172.16.101.1.43828 > 172.16.101.100.ftp: P 0:13(13) ack 43 win 46 <nop,nop,timestamp 1059470390 10260900>


Section 3: Debug log The debug log provides a packet navigation trail through various packet processing stage of the firewall. The default method of capturing the debug log is to aggregate the logs to a single file, called“pan_packet_diag.log.” It is a good practice to apply packet filters to restrict the flows that are logged.

Configuring packet log To enable packet logging and to set the log options use the operational mode command debug dataplane packet-diag set log. admin@PA-4050> debug dataplane packet-diag set log > feature Enable feature/module to log > log-option Logging output options > off Disable debug logging > on Enable debug logging To enable packet capture use the command debug dataplane packet-diag set log on PAN-OS offers multiple features to log packets. Each feature can have sub features where packets can be logged. admin@PA-4050> debug dataplane packet-diag set log feature > all all > appid appid > ctd ctd > flow flow > misc misc > module module > pow pow > proxy proxy > ssl ssl > tcp tcp > tunnel tunnel > zip zip admin@PA-4050> debug dataplane packet-diag set log feature flow ager ager all all arp arp basic basic ha ha np np receive receive The most commonly used feature for troubleshooting is the “flow basic”. In PAN-OS 3.1, the default behavior is for all the debug logs be aggregated a to single file “pan_packet_diag.log”

Viewing debug log Debug log can be viewed from the CLI using one of the two commands

• less • tail

Note:


1. For the PA-5000 series of firewall the command to view debug log is less dp0-log pan_packet_diag.log

2. For the PA-200 use the command less mp-log pan_packet_diag.log

The examples in this note are based on PA 500/2000/4000 series of platform less dp-log pan_packet_diag.log

- Displays the all the contents of the debug file, starting at the beginning of the file.

tail dp-log pan_packet_diag.log -Displays the last 10 lines of the debug file tail command by default displays the last 10 lines of the debug file. To output the last N lines, instead of the last 10 use the command tail lines <value> dp-log pan_packet_diag.log where value is 1-65535

To follow the debug log in realtime tail follow yes dp-log pan_packet_diag.log

Clearing debug log file It is good practice to clear the log before enabling debug to capture traffic. Log files can be cleared using the command: debug dataplane packet-diag clear log log

Debug log example In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100 The workflow for enabling PCAP is as follows

1. Apply the packet filters for the source and destination 2. Enable the packet filter 3. Specify the log feature

Clear debug log file 4. Enable debug log 5. Initiate traffic between the hosts


Disable debug 6. Analyze the logs

debug dataplane packet-diag set filter match source 172.16.100.87 destination 172.16.101.100 destination-port 21 protocol 6 debug dataplane packet-diag set filter on debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag clear log log debug dataplane packet-diag set log on - Initiate traffic debug dataplane packet-diag set log off admin@PA-4050> less dp-log pan_packet_diag.log == Jun 21 19:14:39 == Packet received at np stage Packet info: len 74 port 16 interface 16 wqe index 229308 packet 0x0x8000000416fdc0e6 Packet decoded dump: L2: 00:14:c1:4b:d8:f9->00:1b:17:14:4f:10, type 0x0800 IP: 172.16.100.87->172.16.101.100, protocol 6 version 4, ihl 5, tos 0x00, len 60, id 30220, frag_off 0x4000, ttl 64, checksum 41683 TCP: sport 33987, dport 21, seq 1819534672, ack 0, reserved 0, offset 10, window 5840, checksum 27398, flags 0x0002 ( SYN), urgent data 0 TCP option: 00000000: 02 04 05 b4 04 02 08 0a 3a 54 93 5c 00 00 00 00 ........ :T.\.... 00000010: 01 03 03 07 .... == Jun 21 19:14:39 == Packet received at ingress stage Packet info: len 74 port 16 interface 16 wqe index 229308 packet 0x0x8000000416fdc0e6 Packet decoded dump: L2: 00:14:c1:4b:d8:f9->00:1b:17:14:4f:10, type 0x0800 IP: 172.16.100.87->172.16.101.100, protocol 6 version 4, ihl 5, tos 0x00, len 60, id 30220, frag_off 0x4000, ttl 64, checksum 41683 TCP: sport 33987, dport 21, seq 1819534672, ack 0, reserved 0, offset 10, window 5840, checksum 27398, flags 0x0002 ( SYN), urgent data 0 TCP option: 00000000: 02 04 05 b4 04 02 08 0a 3a 54 93 5c 00 00 00 00 ........ :T.\.... 00000010: 01 03 03 07 .... Flow lookup No active flow found, enqueue to create session == Jun 21 19:14:39 ==


PAN-OS allows for searching specific keywords within the log by typing /<pattern>. These are case sensitive. For example to see the route lookup in the above example you can type /Route

Summary PAN-OS 3.1 and later offers restructured packet-related diagnosis facilities. The improvements with global counters, filtering; debug logs and dataplane packet capture empowers firewall administrators to troubleshoot issues with device or network.


Revision History Date Revision Comment 9/3/2013 D Update made in the Debug Dataplane Changes section. The

command debug dataplane packet-diag aggregate-logs should be run after disabling the flow basic debugs.

8/21/2013

C

Added Exporting Management PCAPs in the Management PCAP section.

10/23/2012

B

Updated with PAN-OS 5.0 changes.

9/10/2011

A First release of this document.


Documents

PCAP Debug Logs-rev D