Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:troubleshooting:packet_captures [2022/01/27 22:35] – [Packet Capture IP Style] bstafford
+++ paloaltonetworks:troubleshooting:packet_captures [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 6: / Line 6: @@
   * TX - Post-decryption, post-NAT
   * DR - Dropped packets
+Putting RX and TX into the same file will, if NAT is involved, result in the packet capture putting both the pre-NAT packet and the post-NAT packet in the PCAP. Including the FW stream will result in duplicate errors as it will clash with RX.
 I've seen drops recorded when a packet was tranmisted and then a routing loop pushed the packet straight back at the firewall. So the packet was shown in TX and DR.
@@ Line 114: / Line 116: @@
   * 10.2.2.22 > 192.168.3.33
   * 10.2.2.22 > > 10.3.3.33
-    rx
+  * rx
-        c2s actual client to fake server
+    * c2s actual client to fake server
-        s2c actual server to actual client
+    * s2c actual server to actual client
-    fw
+  * fw
-        c2s actual client to fake server
+    * c2s actual client to fake server
-        s2c actual server to actual client
+    * s2c actual server to actual client
-    tx
+  * tx
-        c2s actual client to actual server
+    * c2s actual client to actual server
-        s2c fake server to actual client
+    * s2c fake server to actual client
+If you have Source NAT only
+where 10.2.2.22 connects to 10.3.3.33 and S-NAT's behind 192.168.2.22, then
+  * 10.2.2.22 > 10.3.3.33 works
+  * rx
+    * c2s actual client to actual server
+    * s2c actual client to actual server
+  * fw
+    * c2s actual client to actual server
+    * s2c actual client to actual server
+  * tx
+    * c2s actual client to actual server
+    * s2c actual client to actual server
+Also
+  * 192.168.2.22 > 10.3.3.33 doesn't work
 ===== Data Plane Packet Capture =====