Take a Packet Capture for Unknown Applications
Table of Contents
Take a Packet Capture for Unknown Applications
Palo Alto Networks firewalls automatically
generate a packet capture for sessions that contain an application
that it cannot identify. Typically, the only applications that are
classified as unknown traffic—tcp, udp or non-syn-tcp—are commercially
available applications that do not yet have App-ID signatures, are
internal or custom applications on your network, or potential threats. You
can use these packet captures to gather more context related to
the unknown application or use the information to analyze the traffic
for potential threats. You can also Manage Custom or Unknown Applications by
controlling them through security policy or by writing a custom
application signature and creating a security rule based on the
custom signature. If the application is a commercial application,
you can submit the packet capture to Palo Alto Networks to have
an App-ID signature created.
- Verify that unknown application packet capture
is enabled. This option is on by default.
- To view the unknown application capture
setting, run the following CLI command:
admin@PA-220>show running application setting | match “Unknown capture” - If the unknown capture setting option is off, enable
it:
admin@PA-220>set application dump-unknown yes
- To view the unknown application capture
setting, run the following CLI command:
- Locate unknown application by filtering the traffic logs.
- Select .
- Click Add Filter and select
the filters as shown in the following example.
![]()
- Click Add and Apply Filter.
- Click the packet capture icon to view the packet capture or Export it to your local system.
![]()
![]()
