Packet Based Troubleshooting

Configuring packet captures and debug logs

Tech Note
PAN-OS 4.1 and later

Revision D

2013, Palo Alto Networks, Inc. www.paloaltonetworks.com

Contents
Overview ................................................................................................................................................................................. 3
PAN-OS 5.0 updates ................................................................................................................................................................ 3
Management PCAPs ............................................................................................................................................................. 3
Viewing Management PCAPS........................................................................................................................................... 3
Exporting Management PCAPs ........................................................................................................................................ 4
Debug Dataplane Changes ................................................................................................................................................... 4
Packet filter, capture and debug logs........................................................................................................................................ 4
Section 1: Packet filters ............................................................................................................................................................ 5
Configuring packet filters ..................................................................................................................................................... 5
Filter match conditions ......................................................................................................................................................... 5
Configuring packet filter match ........................................................................................................................................ 5
Viewing the packet filter ................................................................................................................................................... 6
Clearing a filter ................................................................................................................................................................. 6
Pre-parse-match ................................................................................................................................................................ 6
Section 2: Packet captures ........................................................................................................................................................ 7
Configuring packet capture-CLI ........................................................................................................................................... 7
Packet capture stage ............................................................................................................................................................. 7
Trigger captures ................................................................................................................................................................... 8
Capture file .......................................................................................................................................................................... 8
Viewing and deleting PCAP.................................................................................................................................................. 8
Clearing capture ................................................................................................................................................................... 9
Configuring packet capture-Web Management .................................................................................................................... 9
PCAP examples ...................................................................................................................................................................... 11
Case1: Traffic without NAT .............................................................................................................................................. 11
Case 2: Traffic with Source NAT ....................................................................................................................................... 11
Section 3: Debug log .............................................................................................................................................................. 14
Configuring packet log ....................................................................................................................................................... 14
Viewing debug log .............................................................................................................................................................. 14
Clearing debug log file ....................................................................................................................................................... 15
Debug log example ................................................................................................................................................................ 15
Clear debug log file ......................................................................................................................................................... 15
Disable debug ........................................................................................................................................................................ 16
Summary ................................................................................................................................................................................ 17
Revision History ................................................................................................................................................................... 18

2013, Palo Alto Networks, Inc.

[2]

Overview
The purpose of this document is provide background information on PAN-OS 3.1 and later Packet Filtering, Capture and
Debug Log functionality as well as recommended workflow when using those features in problem diagnostics. The
commands covered in this document is applicable to all the hardware platforms

PAN-OS 5.0 updates

Management PCAPs
PAN-OS 5.0 provides the ability to run TCPDUMP to monitor and capture traffic on the out-of-band management interface
on all hardware platforms.
TCPDUMP is run by typing the command tcpdump from CLI.
admin@PA-200> tcpdump
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
TCPDUMP filter can also be applied to limit the capture to specific traffic. Example below shows using some of the common
filters
tcpdump filter "port 443"- Captures traffic to destination port 443
tcpdump filter "not port 443"- Captures traffic to destination port not equal to 443
tcpdump filter "src host 10.1.1.9"- Captures traffic from source IP 10.1.1.9
tcpdump filter "src host not 10.1.1.9"- Captures traffic from source IP is not equal to 10.1.1.9
tcpdump filter "src net 192.168.1.0/24 and port 443"- Captures traffic from source subnet
192.168.1.0/24 and port 443
tcpdump filter "src host 10.1.1.9 or 10.1.1.10"- Captures traffic from source IP 10.1.1.9 or 10.1.1.10
tcpdump filter "src host (10.1.1.9 or 10.1.1.10) and port 443"- Captures traffic from source IP
10.1.1.9 or 10.1.1.10 and destination port 443
tcpdump filter "proto 6 and port 443"- Captures all TCP traffic traffic to destination port 443
tcpdump filter "proto 1 and src net 10.1.1.0/24"- Captures ICMP traffic to destination from source
networks 10.1.1.0/24

Viewing Management PCAPS

The management PCAPS can be viewed using the view-pcap mgmt-pcap mgmt.pcap command. Every time TCPDUMP is
run, the file old mgmt.pcap file is overwritten with new packet captures.

admin@PA-200> view-pcap mgmt-pcap mgmt.pcap

18:49:54.757809 IP 10.1.1.9.50833 > 192.168.1.1.https:
3184641665 win 10073
18:49:54.757916 IP 192.168.1.1.https > 10.1.1.9.50833:
18:49:54.797103 IP 192.168.1.1.https > 10.1.1.9.50833:
18:49:54.810471 IP 10.1.1.9.50833 > 192.168.1.1.https:
18:49:54.810530 IP 192.168.1.1.https > 10.1.1.9.50833:
18:49:54.867814 IP 192.168.1.1.https > 10.1.1.9.50833:
18:49:54.873693 IP 10.1.1.9.50833 > 192.168.1.1.https:
18:49:54.873760 IP 192.168.1.1.https > 10.1.1.9.50833:

2013, Palo Alto Networks, Inc.

[3]

P 3878859509:3878860271(762) ack
.
P
P
.
P
P
.

ack 762 win 501

1:486(485) ack 762 win 501
762:1460(698) ack 486 win 9952
ack 1460 win 501
486:971(485) ack 1460 win 501
1460:2222(762) ack 971 win 10220
ack 2222 win 501

Exporting Management PCAPs

Management PCAPs can be exported using SCP or TFTP. The syntax for using SCP and TFTP is shown below

scp export mgmt-pcap from mgmt.pcap to user@hostname:/path

tftp export mgmt-pcap from mgmt.pcap to <host>

Debug Dataplane Changes

1. On PA-200 all debug logs are now stored in the file pan_task_1.log. To view debug logs use the command tail
follow yes mp-log pan_task_1.log or less mp-log pan_task_1.log
2. In PAN-OS 5.0 and later, you can run a command to aggregate the dataplane logs into one log file. After the debug
logs have been collected, disable the flow basic debug and then run the following command: debug dataplane
packet-diag aggregate-logs.
This command will result in all dataplane logs to be aggregated to packet-diag. This is helpful on PA-5000 Series
where there are multiple dataplanes. You can then view the aggregated logs collected from all of the dataplanes in
one single file.
Example of enabling debug log in PAN-OS 5.0 is shown below:
debug dataplane packet-diag clear log log
debug dataplane packet-diag set filter match source 172.16.100.87 destination
172.16.101.100 destination-port 21 protocol 6
debug dataplane packet-diag set filter on
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on
To aggregate the dataplane logs, disable the debug logs and then wait about a minute to allow the logs to be fully
written and then run: debug dataplane packet-diag aggregate-logs. This will combine the dataplane
logs into a single file named single pan_packet_diag.log file.

Packet filter, capture and debug logs

In PAN-OS 3.1 and later packet filtering, logging and packet capturing have been separated and subsequently, configuration
operational commands are grouped under three distinct areas:
Packet filter
Packet capture
Debug logs
All of these functions can be configured, viewed and cleared using the operational mode command
debug dataplane packet-diag

admin@PA-4050> debug dataplane packet-diag

> clear
Clear packet-related diagnosis parameters
> set
Set packet-related debugging parameters
> show
Show packet-related diagnosis information
2013, Palo Alto Networks, Inc.

[4]

This document is divided into the following sections:

1. Packet Filters
2. Packet Captures
3. Debug Logs

Section 1: Packet filters

Very seldom is there a single flow through the firewall at any given time. When trying to diagnose problems, it is important
to define filters to minimize the performance degradation and to ensure other extraneous data is not captured. PAN-OS
supports configuring packet filters to define interesting traffic. The packet filters can be applied to accomplish the following:
Enable packet capture at multiple capturing points
Track global counter changes
Enable packet debug logging

Configuring packet filters

The debug dataplane packet-diag set filter command is used to turn on/off and define the match condition for packet filters

admin@PA-4050> debug dataplane packet-diag set filter

> match
specify debug filter
> off
Disable debug filter
> on
Enable debug filter
> pre-parse-match
Match value for packet before parsing
Packet filter is enabled using the command debug dataplane packet-diag set filter on

Filter match conditions

Packet filters can be configured the match on the following options:
Source and destination IP address
Source and destination ports
IP protocol
Ingress interface
Include, exclude or capture only non-IP
A maximum of four filters can be configured on the firewall. All the parameters within a filter must match within a packet
for it to be captured. When multiple filters are configured, packets matching any of packet filters will be captured.

Configuring packet filter match

The examples below show different packet filter match statements

Match a source IP address

admin@PA-4050> debug dataplane packet-diag set filter match source

1.1.1.5

Match source and destination IP address, destination port and IP protocol.

In this example all the parameters defined in the filter must match for the packet to be captured - i.e. the source IP,
destination IP, port and the protocol in the packet must match to trigger the filter.

2013, Palo Alto Networks, Inc.

[5]

admin@PA-4050> debug dataplane packet-diag set filter match source

1.1.1.5 destination 2.1.1.5 destination-port 80 protocol 6

Viewing the packet filter

The packet filters configured can be viewed using the command debug dataplane packet-diag show setting

admin@PA-4050> debug dataplane packet-diag show setting

------------------------------------------------------------------------Packet diagnosis setting:
------------------------------------------------------------------------Packet filter
Enabled:
yes
Match pre-parsed packet:
no
Index 1: 1.1.1.50[0]->0.0.0.0[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 1.1.1.5[0]->2.1.1.5[80], proto 6
ingress-interface any, egress-interface any, exclude non-IP
------------------------------------------------------------------------Logging
Enabled:
no
Log-throttle:
no
Aggregate-to-single-file: yes
Features:
------------------------------------------------------------------------Packet capture
Enabled:
no
------------------------------------------------------------------------In the above example, there are two packet filters configured. The packets matching either one of the filters are captured.

Clearing a filter

PAN-OS device supports four concurrent filters to be configured. Existing filters must be removed in order to configure new
filters. Filters are referenced by index numbers. To clear a filter use the command debug dataplane packet-diag clear filter

admin@PA-4050> debug dataplane packet-diag clear filter

all
Delete all filters
<value> <1-4> Filter index
Note: The filters are not renumbered if a filter is cleared.

Pre-parse-match
The pre-parse-match option is added for advanced troubleshooting purposes. From the moment packet enters ingress port it
has to go through number of processing steps before it gets parsed for match against pre-configured filters. Therefore, it is
entirely possible that packet, due to some failure, never gets to filtering stage. Typical example would be route lookup if
this fails, a packet will never reach the filter (although interface counters can be used to quickly identify this error condition).
Setting pre-parse-match emulates positive match for every packet entering the system so we can capture even those packets
that dont make it to filtering process. If packet does manage to get through to the filtering stage, it is then processed
according to filter configuration and match is discarded if packet fails to meet filtering criteria. By default pre-parsed packets
are not matched. To enable pre-parse match use the command
admin@PA-4050(active)> debug dataplane packet-diag set filter pre-parse2013, Palo Alto Networks, Inc.

[6]

match yes

Section 2: Packet captures

PAN-OS supports capturing packet that be analyzed later for troubleshooting, or for detecting unknown applications. Only
the packets that match the filters are captured. The PCAPs are locally stored on the device in user-defined file. The PCAP file
can be viewed from the CLI or copied to an external host to view using a PCAP utility. The PCAPS have a 1% disk usage
quota with a minimum storage space size of 100MB for each type

Configuring packet capture-CLI

To enable packet capture and to set the capture options use the operational mode command debug dataplane packet-diag set
capture.

admin@PA-4050> debug dataplane packet-diag set capture

> off
Disable debug capture
> on
Enable debug capture
> stage
Packet capture at processing stage
> trigger
Packet capture triggered by event
To enable packet capture use the command debug dataplane packet-diag set capture on

Packet capture stage

Packets can be captured at different packet processing stages. User may specify capture PCAP file attributes for the following
points
admin@PA-4050> debug dataplane packet-diag set capture stage
> drop
Drop stage
> firewall
Firewall stage
> receive
Receive stage
> transmit
Transmit stage
drop: when packet processing encounters an error and this packet will be discarded
firewall: packet has a session match, or a first packet with session successfully created
receive: packet received on dataplane CPU
transmit: packet is to be transmitted on dataplane CPU
The receive and transmit stage capture can be viewed as shown in the figure shown below

A: First packet from a source host received by the firewall

B: First packet transit transmitted after processing
C: Response packet received. This is response to the packet sent out in stage B
D: Response packet sent to the end host.
You can also define the maximum number of bytes to capture and also the maximum packets to be captured for each stage.
2013, Palo Alto Networks, Inc.

[7]

Trigger captures
Packet capture is conditional for a given session, it starts when triggering event occurs. Currently the only trigger event is
application, which means to trigger when the application changes from one to another.. For example when user access
gmail, the session starts off as web-browsing and then switches to gmail. It is possible to define the max byte count before
the filter stops capturing, and also the max packets to be captured. A packet match filter is required for application trigger to
capture packets.

admin@PA-4050> debug dataplane packet-diag set capture trigger application

+ byte-count
Max. byte count before filter stops
+ packet-count
Max. packet count before filter stops
* file
Saved file name
* from
From application
* to
To application

Capture file

PCAPs are stored in the file defined by the user. Files can be defined for each packet capture stage and/or triggered captures.
Multiple stages for PCAP can be enabled simultaneously. The command for setting capture file is shown

debug dataplane packet-diag set capture stage

<drop/firewall/receive/transmit> file <file name>
debug dataplane packet-diag set capture trigger application from
<application name> to <application name> file <file name>
Note: If you are capturing packets at different stages, it recommended having a separate PCAP file for each stage of the
capture

Viewing and deleting PCAP

The PCAP file can be viewed using the command view-pcap. The command syntax is

view-pcap filter-pcap <file name>

You can view all the file names using ? in place of the filename.
The view-pcap command provides user with lots of different options to view the PCAP. Some of the options include, hex,
hex-ascii, no-dns-lookup, no-port-lookup. To view the complete option list, use ? as the first argument after view-pcap.
To view the PCAP with options use the following command:

view-pcap <option> yes filter-pcap <file name>

To view the pcap in real time use the command

view-pcap follow

yes filter-pcap <file name>

2013, Palo Alto Networks, Inc.

[8]

The pcap file can also be exported to an external host to be viewed using any PCAP viewing utility. TFTP and SCP are the
supported methods.

scp export filter-pcap from <file name> to <username@host:path>

tftp export filter-pcap from <file name> to <destination IP>
Note: The PCAP file is created only when the traffic traverses the firewall.
To delete the PCAP files use the command

delete debug-filter file <file name>

Clearing capture
To clear capture use the debug dataplane packet-diag clear command. More specific options to clear a particular stage and
trigger are also available

admin@PA-4050> debug dataplane packet-diag clear capture

> all
all
> stage
Capture at processing stage
> trigger
Capture triggered by event

Configuring packet capture-Web Management

Starting with PAN-OS 4.0 packet capture can be configured from the Web management. In order to configure packet
capture, navigate to Monitor>Packet Capture
You must first set the filters before enabling packet capture. To enabled filter, set filtering to ON and click on Manage
Filters

2013, Palo Alto Networks, Inc.

[9]

From the Capture Files section, set capture to ON and click on add to add capture file and stage.
The PCAP file will be created when traffic traverses the firewall. PCAPs can be viewed from the right hand pane of the PCAP
window.

2013, Palo Alto Networks, Inc.

[10]

PCAP examples
Case1: Traffic without NAT
In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100
The workflow for enabling PCAP is as follows:
1.
2.
3.
4.
5.
6.
7.

Apply the packet filters for the source and destination

Enable the packet filter
Specify the packet capture stage and the file
Enable packet capture
Initiate traffic between the hosts
Disable packet capture
Analyze the PCAP

debug dataplane packet-diag set filter match source 172.16.100.87

destination 172.16.101.100 destination-port 21 protocol 6
debug dataplane packet-diag set filter on
debug dataplane packet-diag set capture stage firewall file ftp-pcap
debug dataplane packet-diag set capture on
Initiate traffic
debug dataplane packet-diag set capture off

admin@PA-4050> view-pcap filter-pcap ftp-pcap

reading from file /opt/panlogs/session/pan/filters/ftp-pcap, link-type
EN10MB (Ethernet)
22:25:59.892789 IP 172.16.100.87.44833 > 172.16.101.100.ftp: S
2264517141:2264517141(0) win 5840 <mss 1460,sackOK,timestamp 730886
439 0,nop,wscale 7>
22:25:59.892980 IP 172.16.101.100.ftp > 172.16.100.87.44833: S
3138829586:3138829586(0) ack 2264517142 win 17520 <mss 1460,nop,wsc
ale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
22:25:59.893066 IP 172.16.100.87.44833 > 172.16.101.100.ftp: . ack 1 win
46 <nop,nop,timestamp 730886440 0>
22:25:59.895180 IP 172.16.101.100.ftp > 172.16.100.87.44833: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 6975543 730886440>
22:26:11.324835 IP 172.16.100.87.42430 > 172.16.101.100.carrius-rshell: S
2290456784:2290456784(0) win 5840 <mss 1460,sackOK,times
tamp 730897872 0,nop,wscale 7>

Case 2: Traffic with Source NAT

In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100. The
source 172.16.100.87 is translated using dynamic-ip to egress interface IP of 172.16.101.1. Packets are captured at receive
stage, firewall stage and transmit stage, with each stage configured with its own PCAP file.

admin@PA-4050> debug dataplane packet-diag show setting

------------------------------------------------------------------------Packet diagnosis setting:
2013, Palo Alto Networks, Inc.

[11]

------------------------------------------------------------------------Packet filter
Enabled:
yes
Match pre-parsed packet:
no
Index 1: 172.16.100.87[0]->172.16.101.100[21], proto 6
ingress-interface any, egress-interface any, exclude non-IP
------------------------------------------------------------------------Logging
Enabled:
no
Log-throttle:
no
Aggregate-to-single-file: yes
Features:
------------------------------------------------------------------------Packet capture
Enabled:
yes
Stage receive
: file ftp-rx byte-count 0 packet-count 0
Stage firewall
: file ftp-fw byte-count 0 packet-count 0
Stage transmit
: file ftp-tx byte-count 0 packet-count 0
------------------------------------------------------------------------In the example the IP address and the port numbers of the packet are as shown
Original packet
Source IP/port

Destination IP/port

172.16.100.87/32919

172.16.101.100/21

Translated packet
Source IP/port

Destination IP/port

172.16.101.1/43828

172.16.101.100/21

When NAT is configured, it is important to note the source and destination IP addresses of the packet at different capture
points.
Receive and firewall stage:
Receive and firewall stage always captures pre NAT addresses
The first packet received by the firewall will have source IP/port= 172.16.100.87/32919 and the destination
IP/port=172.16.101.100/21. This is the original packet
The response packet will have source IP/port=172.16.101.100/21 destination IP/port=172.16.101.1/43828. This is original
response packet.
PCAP at receive stage
admin@PA-4050> view-pcap filter-pcap ftp-rx
reading from file /opt/panlogs/session/pan/filters/ftp-rx, link-type
EN10MB (Ethernet)
17:42:03.364844 IP 172.16.100.87. 32919 > 172.16.101.100.ftp: S
1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370
0,nop,wscale 7>
2013, Palo Alto Networks, Inc.

[12]

17:42:03.366965 IP 172.16.101.100.ftp > 172.16.101.1.43828: S

3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale
0,nop,nop,times tamp 0 0,nop,nop,sackOK>
17:42:03.367102 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack
3378337396 win 46 <nop,nop,timestamp 1059470374 0>
17:42:03.382249 IP 172.16.101.100.ftp > 172.16.101.1.43828: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374>
17:42:03.382756 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack 43 win
46 <nop,nop,timestamp 1059470389 10260900>
PCAP at firewall stage
admin@PA-4050> view-pcap filter-pcap ftp-fw
reading from file /opt/panlogs/session/pan/filters/ftp-fw, link-type
EN10MB (Ethernet)
17:42:03.365056 IP 172.16.100.87.32919 > 172.16.101.100.ftp: S
1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370
0,nop,wscale 7>
17:42:03.367013 IP 172.16.101.100.ftp > 172.16.101.1.43828: S
3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale
0,nop,nop,times tamp 0 0,nop,nop,sackOK>
17:42:03.367152 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack
3378337396 win 46 <nop,nop,timestamp 1059470374 0>
17:42:03.382293 IP 172.16.101.100.ftp > 172.16.101.1.43828: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374>

Transmit stage:
Receive and firewall stage always captures post NAT addresses
The first packet transmitted by the firewall will have source IP/port=172.16.101.1/43828 and the destination
IP/port=172.16.101.100/21, i.e. the translated packet
The response packet transmitted by the firewall will have source IP/port=172.16.101.100/21 and destination
IP/port=172.16.100.87/32919. The destination IP is the IP that is translated to the original address from the response packet
PCAP at transmit stage
admin@PA-4050> view-pcap filter-pcap ftp-tx
reading from file /opt/panlogs/session/pan/filters/ftp-tx, link-type
EN10MB (Ethernet)
17:42:03.365129 IP 172.16.101.1.43828 > 172.16.101.100.ftp: S
1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370
0,nop,wscale 7 >
17:42:03.367057 IP 172.16.101.100.ftp > 172.16.100.87.32919: S
3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:42:03.367196 IP 172.16.101.1.43828 > 172.16.101.100.ftp: . ack
3378337396 win 46 <nop,nop,timestamp 1059470374 0>
17:42:03.382689 IP 172.16.101.100.ftp > 172.16.100.87.32919: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374>
17:42:03.382816 IP 172.16.101.1.43828 > 172.16.101.100.ftp: . ack 43 win
46 <nop,nop,timestamp 1059470389 10260900>
17:42:03.383092 IP 172.16.101.1.43828 > 172.16.101.100.ftp: P 0:13(13)
ack 43 win 46 <nop,nop,timestamp 1059470390 10260900>

2013, Palo Alto Networks, Inc.

[13]

Section 3: Debug log

The debug log provides a packet navigation trail through various packet processing stage of the firewall. The default method
of capturing the debug log is to aggregate the logs to a single file, calledpan_packet_diag.log. It is a good practice to apply
packet filters to restrict the flows that are logged.

Configuring packet log

To enable packet logging and to set the log options use the operational mode command debug dataplane packet-diag set log.

admin@PA-4050>
> feature
> log-option
> off
> on

debug dataplane packet-diag set log

Enable feature/module to log
Logging output options
Disable debug logging
Enable debug logging

To enable packet capture use the command debug dataplane packet-diag set log on
PAN-OS offers multiple features to log packets. Each feature can have sub features where packets can be logged.

admin@PA-4050> debug dataplane packet-diag set log feature

> all
all
> appid
appid
> ctd
ctd
> flow
flow
> misc
misc
> module
module
> pow
pow
> proxy
proxy
> ssl
ssl
> tcp
tcp
> tunnel
tunnel
> zip
zip

admin@PA-4050> debug dataplane packet-diag set log feature flow

ager
ager
all
all
arp
arp
basic
basic
ha
ha
np
np
receive
receive
The most commonly used feature for troubleshooting is the flow basic. In PAN-OS 3.1, the default behavior is for all the
debug logs be aggregated a to single file pan_packet_diag.log

Viewing debug log

Debug log can be viewed from the CLI using one of the two commands
less
tail
Note:
2013, Palo Alto Networks, Inc.

[14]

1. For the PA-5000 series of firewall the command to view debug log is less dp0-log
pan_packet_diag.log
2. For the PA-200 use the command less mp-log pan_packet_diag.log

The examples in this note are based on PA 500/2000/4000 series of platform

less dp-log pan_packet_diag.log

- Displays the all the contents of the debug file, starting at the beginning of the file.

tail dp-log pan_packet_diag.log

-Displays the last 10 lines of the debug file
tail command by default displays the last 10 lines of the debug file. To output the last N lines, instead of the last 10 use the
command
tail lines <value> dp-log pan_packet_diag.log
where value is 1-65535

To follow the debug log in realtime

tail follow yes dp-log pan_packet_diag.log

Clearing debug log file

It is good practice to clear the log before enabling debug to capture traffic. Log files can be cleared using the command:

debug dataplane packet-diag clear log log

Debug log example

In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100
The workflow for enabling PCAP is as follows
1. Apply the packet filters for the source and destination
2. Enable the packet filter
3. Specify the log feature

Clear debug log file

4. Enable debug log

5. Initiate traffic between the hosts

2013, Palo Alto Networks, Inc.

[15]

Disable debug
6. Analyze the logs

debug dataplane packet-diag set filter match source 172.16.100.87

destination 172.16.101.100 destination-port 21 protocol 6
debug dataplane packet-diag set filter on
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag clear log log
debug dataplane packet-diag set log on
- Initiate traffic
debug dataplane packet-diag set log off

admin@PA-4050> less dp-log pan_packet_diag.log

== Jun 21 19:14:39 ==
Packet received at np stage
Packet info: len 74 port 16 interface 16
wqe index 229308 packet 0x0x8000000416fdc0e6
Packet decoded dump:
L2:
00:14:c1:4b:d8:f9->00:1b:17:14:4f:10, type 0x0800
IP:
172.16.100.87->172.16.101.100, protocol 6
version 4, ihl 5, tos 0x00, len 60,
id 30220, frag_off 0x4000, ttl 64, checksum 41683
TCP:
sport 33987, dport 21, seq 1819534672, ack 0,
reserved 0, offset 10, window 5840, checksum 27398,
flags 0x0002 ( SYN), urgent data 0
TCP option:
00000000: 02 04 05 b4 04 02 08 0a 3a 54 93 5c 00 00 00 00
:T.\....
00000010: 01 03 03 07
== Jun 21 19:14:39 ==
Packet received at ingress stage
Packet info: len 74 port 16 interface 16
wqe index 229308 packet 0x0x8000000416fdc0e6
Packet decoded dump:
L2:
00:14:c1:4b:d8:f9->00:1b:17:14:4f:10, type 0x0800
IP:
172.16.100.87->172.16.101.100, protocol 6
version 4, ihl 5, tos 0x00, len 60,
id 30220, frag_off 0x4000, ttl 64, checksum 41683
TCP:
sport 33987, dport 21, seq 1819534672, ack 0,
reserved 0, offset 10, window 5840, checksum 27398,
flags 0x0002 ( SYN), urgent data 0
TCP option:
00000000: 02 04 05 b4 04 02 08 0a 3a 54 93 5c 00 00 00 00
:T.\....
00000010: 01 03 03 07
Flow lookup
No active flow found, enqueue to create session
== Jun 21 19:14:39 ==

2013, Palo Alto Networks, Inc.

[16]

........
....

........
....

PAN-OS allows for searching specific keywords within the log by typing /<pattern>. These are case sensitive. For example to
see the route lookup in the above example you can type /Route

Summary
PAN-OS 3.1 and later offers restructured packet-related diagnosis facilities. The improvements with global counters,
filtering; debug logs and dataplane packet capture empowers firewall administrators to troubleshoot issues with device or
network.

2013, Palo Alto Networks, Inc.

[17]

Revision History
Date
9/3/2013

Revision
D

8/21/2013

10/23/2012

Comment
Update made in the Debug Dataplane Changes section. The
command debug dataplane packet-diag aggregate-logs should
be run after disabling the flow basic debugs.
Added Exporting Management PCAPs in the Management
PCAP section.
Updated with PAN-OS 5.0 changes.

9/10/2011

First release of this document.

2013, Palo Alto Networks, Inc.

[18]