Tag Archives: Packet Capture

Don’t Trust Packet Captures on Firewalls

Packet Capture, , , ,

The other day, I was troubleshooting some network-related stuff, using the built-in Packet Capture on a Palo Alto Networks firewall. And while it did the job at a first glance, I stumbled upon some packets that were simply not correct, read: were not present on the Ethernet cable at all and/or were missing some content.

This proves again what the TAP vendors always claim: Don’t use internal packet captures / SPAN ports at all when you’re really serious about the truth. You MUST use network TAPs!

Continue reading Don’t Trust Packet Captures on Firewalls

Palo Packet Capture: Choosing the Right Filter

Memorandum, Packet Capture, Palo Alto Networks, , , , , , ,

Palo Alto firewalls have a nice packet capture feature. It enables you to capture packets as they traverse the firewall. While you might be familiar with the four stages that the Palo can capture (firewall, drop, transmit, receive), it’s sometimes hard to set the correct filter – especially when it comes to NAT scenarios. (At least it was hard for me…)

I am using the packet capture feature very often for scenarios in which the IP connections are in fact working (hence no problems at the tx/rx level nor on the security policy/profile) but where I want to verify certain details of the connection itself. I’m simply using the Palo as a capturing device here, similar to a SPAN port on a switch. (Yes, I’m aware of all disadvantages of not using a real TAP and a real capture device.) In the end, I want a single pcap which shows all relevant packets for a client-server connection, even if NAT is in place. Wireshark should be able to correlate the incoming/outgoing packets into a single TCP stream. Furthermore, I definitely want to use a filter to limit the amount of captured packets. This is how I’m doing it:

Continue reading Palo Packet Capture: Choosing the Right Filter