The PCAP file will be created when traffic traverses the firewall PCAPs can be

The pcap file will be created when traffic traverses

This preview shows page 10 - 13 out of 18 pages.

From the Capture Files section, set capture to ON and click on “add” to add capture file and stage. The PCAP file will be created when traffic traverses the firewall. PCAPs can be viewed from the right hand pane of the PCAP window. ©2013, Palo Alto Networks, Inc. [10]
Image of page 10
PCAP examples Case1: Traffic without NAT In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100 The workflow for enabling PCAP is as follows: 1. Apply the packet filters for the source and destination 2. Enable the packet filter 3. Specify the packet capture stage and the file 4. Enable packet capture 5. Initiate traffic between the hosts 6. Disable packet capture 7. Analyze the PCAP debug dataplane packet-diag set filter match source 172.16.100.87 destination 172.16.101.100 destination-port 21 protocol 6 debug dataplane packet-diag set filter on debug dataplane packet-diag set capture stage firewall file ftp-pcap debug dataplane packet-diag set capture on Initiate traffic debug dataplane packet-diag set capture off [email protected]> view-pcap filter-pcap ftp-pcap reading from file /opt/panlogs/session/pan/filters/ftp-pcap, link-type EN10MB (Ethernet) 22:25:59.892789 IP 172.16.100.87.44833 > 172.16.101.100.ftp: S 2264517141:2264517141(0) win 5840 <mss 1460,sackOK,timestamp 730886 439 0,nop,wscale 7> 22:25:59.892980 IP 172.16.101.100.ftp > 172.16.100.87.44833: S 3138829586:3138829586(0) ack 2264517142 win 17520 <mss 1460,nop,wsc ale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> 22:25:59.893066 IP 172.16.100.87.44833 > 172.16.101.100.ftp: . ack 1 win 46 <nop,nop,timestamp 730886440 0> 22:25:59.895180 IP 172.16.101.100.ftp > 172.16.100.87.44833: P 1:43(42) ack 1 win 17520 <nop,nop,timestamp 6975543 730886440> 22:26:11.324835 IP 172.16.100.87.42430 > 172.16.101.100.carrius-rshell: S 2290456784:2290456784(0) win 5840 <mss 1460,sackOK,times tamp 730897872 0,nop,wscale 7> Case 2: Traffic with Source NAT In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100. The source 172.16.100.87 is translated using dynamic-ip to egress interface IP of 172.16.101.1. Packets are captured at receive stage, firewall stage and transmit stage, with each stage configured with its own PCAP file. [email protected]> debug dataplane packet-diag show setting ------------------------------------------------------------------------- Packet diagnosis setting: ©2013, Palo Alto Networks, Inc. [11]
Image of page 11
------------------------------------------------------------------------- Packet filter Enabled: yes Match pre-parsed packet: no Index 1: 172.16.100.87[0]->172.16.101.100[21], proto 6 ingress-interface any, egress-interface any, exclude non-IP ------------------------------------------------------------------------- Logging Enabled: no Log-throttle: no Aggregate-to-single-file: yes Features: ------------------------------------------------------------------------- Packet capture Enabled: yes Stage receive : file ftp-rx byte-count 0 packet-count 0 Stage firewall : file ftp-fw byte-count 0 packet-count 0 Stage transmit : file ftp-tx byte-count 0 packet-count 0 ------------------------------------------------------------------------- In the example the IP address and the port numbers of the packet are as shown Original packet Source IP/port Destination IP/port 172.16.100.87/32919 172.16.101.100/21 Translated packet Source IP/port Destination IP/port 172.16.101.1/43828 172.16.101.100/21 When NAT is configured, it is important to note the source and destination IP addresses of the packet at different capture points. Receive and firewall stage: Receive and firewall stage always captures pre NAT addresses The first packet received by the firewall will have source IP/port= 172.16.100.87/32919 and the destination IP/port=172.16.101.100/21. This is the original packet The response packet will have source IP/port=172.16.101.100/21 destination IP/port=172.16.101.1/43828. This is original response packet.
Image of page 12
Image of page 13

You've reached the end of your free preview.

Want to read all 18 pages?

  • Spring '16
  • Dea
  • Information Security, ........., IP address, Network address translation, Palo Alto Networks

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture