Saucepan

User Tools

Site Tools

Trace: packet_captures raid
paloaltonetworks:troubleshooting:packet_captures

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:troubleshooting:packet_captures [2022/01/27 19:39] bstaffordpaloaltonetworks:troubleshooting:packet_captures [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 6: Line 6:
   * TX - Post-decryption, post-NAT   * TX - Post-decryption, post-NAT
   * DR - Dropped packets    * DR - Dropped packets 
 +
 +Putting RX and TX into the same file will, if NAT is involved, result in the packet capture putting both the pre-NAT packet and the post-NAT packet in the PCAP. Including the FW stream will result in duplicate errors as it will clash with RX.
  
 I've seen drops recorded when a packet was tranmisted and then a routing loop pushed the packet straight back at the firewall. So the packet was shown in TX and DR. I've seen drops recorded when a packet was tranmisted and then a routing loop pushed the packet straight back at the firewall. So the packet was shown in TX and DR.
Line 79: Line 81:
     * s2c fake server to actual client     * s2c fake server to actual client
  
-Conclusions:+Conclusions for double NAT'd traffic:
   * Capturing "recieved" traffic is easy.   * Capturing "recieved" traffic is easy.
   * Capturing "firewalled" and "transmitted" traffic that included both directions of traffic flow requires you to include two filters, the pre-NAT IP address and the post-NAT IP addresses   * Capturing "firewalled" and "transmitted" traffic that included both directions of traffic flow requires you to include two filters, the pre-NAT IP address and the post-NAT IP addresses
 +
 +If you have destination NAT only
 +where 10.2.2.22 connects to 192.158.3.33 which is D-NAT'd to 10.3.3.33, then
 +
 +
 +  * 10.2.2.22 > 192.168.3.33 works
 +  * rx
 +    * c2s actual client to fake server
 +    * s2c actual server to actual client
 +  * fw
 +    * c2s actual client to fake server
 +    * s2c none (nothing captured)
 +  * tx
 +    * c2s none (nothing captured)
 +    * s2c fake server to actual client
 +
 +Also
 +  * 10.2.2.22 > 10.3.3.33 works
 +  * rx
 +    * c2s actual client to fake server
 +    * s2c actual server to actual client
 +  * fw
 +    * c2s none (nothing captured)
 +    * s2c actual server to actual client
 +  * tx
 +    * c2s actual client to actual server
 +    * s2c none (nothing captured)
 +
 +If you set the capture to have two filters
 +
 +  * 10.2.2.22 > 192.168.3.33
 +  * 10.2.2.22 > > 10.3.3.33
 +  * rx
 +    * c2s actual client to fake server
 +    * s2c actual server to actual client
 +  * fw
 +    * c2s actual client to fake server
 +    * s2c actual server to actual client
 +  * tx
 +    * c2s actual client to actual server
 +    * s2c fake server to actual client
 +
 +
 +If you have Source NAT only
 +where 10.2.2.22 connects to 10.3.3.33 and S-NAT's behind 192.168.2.22, then
 +
 +
 +  * 10.2.2.22 > 10.3.3.33 works
 +  * rx
 +    * c2s actual client to actual server
 +    * s2c actual client to actual server
 +  * fw
 +    * c2s actual client to actual server
 +    * s2c actual client to actual server
 +  * tx
 +    * c2s actual client to actual server
 +    * s2c actual client to actual server
 +
 +Also
 +  * 192.168.2.22 > 10.3.3.33 doesn't work
  
 ===== Data Plane Packet Capture ===== ===== Data Plane Packet Capture =====
paloaltonetworks/troubleshooting/packet_captures.1643312393.txt.gz · Last modified: (external edit)