paloaltonetworks:troubleshooting:packet_captures
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| paloaltonetworks:troubleshooting:packet_captures [2020/05/19 09:40] – created bstafford | paloaltonetworks:troubleshooting:packet_captures [2022/11/23 12:49] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Packet Captures ====== | ====== Packet Captures ====== | ||
| + | ===== Packet Capture Types ===== | ||
| + | |||
| + | * RX - Pre-decryption, | ||
| + | * FW - Post-decryption, | ||
| + | * TX - Post-decryption, | ||
| + | * DR - Dropped packets | ||
| + | |||
| + | Putting RX and TX into the same file will, if NAT is involved, result in the packet capture putting both the pre-NAT packet and the post-NAT packet in the PCAP. Including the FW stream will result in duplicate errors as it will clash with RX. | ||
| + | |||
| + | I've seen drops recorded when a packet was tranmisted and then a routing loop pushed the packet straight back at the firewall. So the packet was shown in TX and DR. | ||
| + | |||
| + | ===== Packet Capture IP Style ===== | ||
| + | NAT affects what IP you should put in the packet capture filter. | ||
| + | |||
| + | I've noticed that you don't really need to put the reverse stream into the capture. Just source and destination will end up capturing both c2s and s2c streams of the traffic flow. An exception may be sesssions that can be bi-directional like IKE on udp-500. | ||
| + | |||
| + | In the following example there are two devices | ||
| + | 10.2.2.22 | ||
| + | 10.3.3.33 | ||
| + | |||
| + | Client 10.2.2.22 will try to access server 10.3.3.33. However, client 10.2.2.22 will source NAT behind 192.168.2.22 and will try and access the sever on IP 192.168.3.33 which is then destination NAT'd to 10.3.3.33. | ||
| + | |||
| + | In the example below, we have | ||
| + | * actual client (pre-NAT client) | ||
| + | * actual server (post-NAT server) | ||
| + | * fake client | ||
| + | * fake server (pre-NAT server) | ||
| + | |||
| + | |||
| + | If we capture with no IP filter, we get | ||
| + | * rx | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to fake client | ||
| + | * fw | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to fake client | ||
| + | * tx | ||
| + | * c2s fake client to actual server | ||
| + | * s2c fake server to actual client | ||
| + | |||
| + | If we filter by IP | ||
| + | * 10.2.2.22 > 10.3.3.33 doesn' | ||
| + | * 192.168.2.22 > 192.168.3.33 doesn' | ||
| + | |||
| + | However | ||
| + | * 10.2.2.22 > 192.168.3.33 works | ||
| + | * rx | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to fake client | ||
| + | * fw | ||
| + | * c2s actual client to fake server | ||
| + | * s2c none (nothing captured) | ||
| + | * tx | ||
| + | * c2s none (nothing captured) | ||
| + | * s2c fake server to actual client | ||
| + | |||
| + | Also | ||
| + | * 192.168.2.22 > 10.3.3.33 works | ||
| + | * rx | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to fake client | ||
| + | * fw | ||
| + | * c2s none (nothing captured) | ||
| + | * s2c actual server to fake client | ||
| + | * tx | ||
| + | * c2s fake client to actual server | ||
| + | * s2c none (nothing captured) | ||
| + | |||
| + | If you set the capture to have two filters | ||
| + | * 10.2.2.22 > 192.168.3.33 | ||
| + | * 192.168.2.22 > 10.3.3.33 | ||
| + | * rx | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to fake client | ||
| + | * fw | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to fake client | ||
| + | * tx | ||
| + | * c2s fake client to actual server | ||
| + | * s2c fake server to actual client | ||
| + | |||
| + | Conclusions for double NAT'd traffic: | ||
| + | * Capturing " | ||
| + | * Capturing " | ||
| + | |||
| + | If you have destination NAT only | ||
| + | where 10.2.2.22 connects to 192.158.3.33 which is D-NAT' | ||
| + | |||
| + | |||
| + | * 10.2.2.22 > 192.168.3.33 works | ||
| + | * rx | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to actual client | ||
| + | * fw | ||
| + | * c2s actual client to fake server | ||
| + | * s2c none (nothing captured) | ||
| + | * tx | ||
| + | * c2s none (nothing captured) | ||
| + | * s2c fake server to actual client | ||
| + | |||
| + | Also | ||
| + | * 10.2.2.22 > 10.3.3.33 works | ||
| + | * rx | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to actual client | ||
| + | * fw | ||
| + | * c2s none (nothing captured) | ||
| + | * s2c actual server to actual client | ||
| + | * tx | ||
| + | * c2s actual client to actual server | ||
| + | * s2c none (nothing captured) | ||
| + | |||
| + | If you set the capture to have two filters | ||
| + | |||
| + | * 10.2.2.22 > 192.168.3.33 | ||
| + | * 10.2.2.22 > > 10.3.3.33 | ||
| + | * rx | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to actual client | ||
| + | * fw | ||
| + | * c2s actual client to fake server | ||
| + | * s2c actual server to actual client | ||
| + | * tx | ||
| + | * c2s actual client to actual server | ||
| + | * s2c fake server to actual client | ||
| + | |||
| + | |||
| + | If you have Source NAT only | ||
| + | where 10.2.2.22 connects to 10.3.3.33 and S-NAT' | ||
| + | |||
| + | |||
| + | * 10.2.2.22 > 10.3.3.33 works | ||
| + | * rx | ||
| + | * c2s actual client to actual server | ||
| + | * s2c actual client to actual server | ||
| + | * fw | ||
| + | * c2s actual client to actual server | ||
| + | * s2c actual client to actual server | ||
| + | * tx | ||
| + | * c2s actual client to actual server | ||
| + | * s2c actual client to actual server | ||
| + | |||
| + | Also | ||
| + | * 192.168.2.22 > 10.3.3.33 doesn' | ||
| ===== Data Plane Packet Capture ===== | ===== Data Plane Packet Capture ===== | ||
paloaltonetworks/troubleshooting/packet_captures.1589881256.txt.gz · Last modified: (external edit)