{"id":600,"date":"2015-10-01T11:08:05","date_gmt":"2015-10-01T16:08:05","guid":{"rendered":"http:\/\/www.echorequest.com\/?p=600"},"modified":"2015-10-01T11:08:40","modified_gmt":"2015-10-01T16:08:40","slug":"palo-alto-searching-for-arps","status":"publish","type":"post","link":"https:\/\/www.echorequest.com\/?p=600","title":{"rendered":"Palo-Alto searching for Arps…"},"content":{"rendered":"

Logging traffic for global counters<\/h3>\n

If you need GUI Tutorial goto Palo Alto page:
\nhttps:\/\/live.paloaltonetworks.com\/docs\/DOC-3199<\/a><\/p>\n

1. Lets look for a drop or error counter that currently counts bad packets<\/h4>\n

This is an example with arp protocol. we are looking for some arp issues. Thats a tipical problem on networks\u2026<\/p>\n

\n\n\n\n
\n
> show counter global filter value non-zero delta yes | match arp\r\n<\/strong>\r\nflow_fwd_l3_noarp                          5        0 drop      flow      forward   Packets dropped: no ARP  ----- HERE 5 bad packets!!! Look for it.\r\nflow_arp_pkt_rcv                         468       47 info      flow      arp       ARP packets received\r\nflow_arp_pkt_xmt                           2        0 info      flow      arp       ARP packets transmitted\r\nflow_arp_pkt_replied                     175       17 info      flow      arp       ARP requests replied\r\nflow_arp_pkt_learned                       2        0 info      flow      arp       ARP entry learned\r\nflow_arp_rcv_gratuitous                   10        1 info      flow      arp       Gratuitous ARP packets received\r\nflow_arp_resolve_xmt                       2        0 info      flow      arp       ARP resolution packets transmitted\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
2. Activate the log for that specific counter<\/h4>\n
<\/p>\n
\n\n\n\n
\n
> debug dataplane packet-diag set log counter flow_fwd_l3_noarp<\/strong>\r\n> debug dataplane packet-diag set filter pre-parse-match yes<\/strong>\r\n# Thats what we did\r\n> debug dataplane packet-diag show setting<\/strong> \r\n--------------------------------------------------------------------------------\r\nPacket diagnosis setting:\r\n--------------------------------------------------------------------------------\r\nPacket filter\r\n  Enabled:                   no\r\n  Match pre-parsed packet:   yes            \r\n--------------------------------------------------------------------------------\r\nLogging\r\n  Enabled:                   no\r\n  Log-throttle:              no\r\n  Sync-log-by-ticks:         yes            \r\n  Features:\r\n  Counters:\r\n    flow_fwd_l3_noarp              drop      Packets dropped: no ARP\r\n--------------------------------------------------------------------------------\r\nPacket capture\r\n  Enabled:                   no\r\n  Snaplen:                   0            \r\n--------------------------------------------------------------------------------\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
3. Find the timestamps with the logged drops for the specific counter<\/h4>\n
You can see in the outpit 4 times in one second at 2015\/01\/13 16:29:44.<\/p>\n
\n\n\n\n
\n
> show log system | match flow_fwd_l3_noarp<\/strong>\r\n2015\/01\/13 16:29:05 info     general        general 0  counter flow_fwd_l3_noarp=753176\r\n2015\/01\/13 16:29:05 info     general        general 0  counter flow_fwd_l3_noarp=753177\r\n2015\/01\/13 16:29:06 info     general        general 0  counter flow_fwd_l3_noarp=753178\r\n2015\/01\/13 16:29:06 info     general        general 0  counter flow_fwd_l3_noarp=753178\r\n2015\/01\/13 16:29:06 info     general        general 0  counter flow_fwd_l3_noarp=753178\r\n2015\/01\/13 16:29:06 info     general        general 0  counter flow_fwd_l3_noarp=753178\r\n2015\/01\/13 16:29:06 info     general        general 0  counter flow_fwd_l3_noarp=722221\r\n2015\/01\/13 16:29:06 info     general        general 0  counter flow_fwd_l3_noarp=753179\r\n2015\/01\/13 16:29:23 info     general        general 0  counter flow_fwd_l3_noarp=753180\r\n2015\/01\/13 16:29:23 info     general        general 0  counter flow_fwd_l3_noarp=722222\r\n2015\/01\/13 16:29:23 info     general        general 0  counter flow_fwd_l3_noarp=753181\r\n2015\/01\/13 16:29:24 info     general        general 0  counter flow_fwd_l3_noarp=753182\r\n2015\/01\/13 16:29:24 info     general        general 0  counter flow_fwd_l3_noarp=722223\r\n2015\/01\/13 16:29:44 info     general        general 0  counter flow_fwd_l3_noarp=722224 --------4 times in one second!!!\r\n2015\/01\/13 16:29:44 info     general        general 0  counter flow_fwd_l3_noarp=753183\r\n2015\/01\/13 16:29:44 info     general        general 0  counter flow_fwd_l3_noarp=753184\r\n2015\/01\/13 16:29:44 info     general        general 0  counter flow_fwd_l3_noarp=753185\r\n2015\/01\/13 16:29:45 info     general        general 0  counter flow_fwd_l3_noarp=722225\r\n2015\/01\/13 16:29:57 info     general        general 0  counter flow_fwd_l3_noarp=722226\r\n2015\/01\/13 16:29:58 info     general        general 0  counter flow_fwd_l3_noarp=753186\r\n2015\/01\/13 16:29:58 info     general        general 0  counter flow_fwd_l3_noarp=722227\r\n2015\/01\/13 16:29:58 info     general        general 0  counter flow_fwd_l3_noarp=753187\r\n2015\/01\/13 16:29:58 info     general        general 0  counter flow_fwd_l3_noarp=722228\r\n2015\/01\/13 16:29:59 info     general        general 0  counter flow_fwd_l3_noarp=753188\r\n...\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
4. We have a timestamp we can start to find the complete entries<\/h4>\n
Look for the log at 2015\/01\/13 16:29:44<\/p>\n
\n\n\n\n
\n
> show log system start-time equal 2015\/01\/13@16:29:44<\/strong>\r\nTime                Severity Subtype Object EventID ID Description\r\n===============================================================================\r\n2015\/01\/13 16:29:44 info     dhcp           lease-e 0  DHCP lease ended ip 192.168.10.107 --> mac 64:76:ba:9e:36:d0, interface ethernet1\/4.\r\n108\r\n2015\/01\/13 16:29:44 info     general        general 0  counter flow_fwd_l3_noarp=722224\r\n192.168.8.250[29704]-->192.168.10.107[1]\r\nsess id 50530Packet info: len 102 port 19 tag 0 interface 260\r\nIP:     192.168.8.250->192.168.10.107, pro\r\n2015\/01\/13 16:29:44 info     general        general 0  counter flow_fwd_l3_noarp=753183\r\n192.168.8.250[29704]-->192.168.10.107[2]\r\nsess id 61728Packet info: len 102 port 19 tag 0 interface 260\r\nIP:     192.168.8.250->192.168.10.107, pro\r\n2015\/01\/13 16:29:44 info     general        general 0  counter flow_fwd_l3_noarp=753184\r\n192.168.8.250[29704]-->192.168.10.107[3]\r\nsess id 33643Packet info: len 102 port 19 tag 0 interface 260\r\nIP:     192.168.8.250->192.168.10.107, pro\r\n2015\/01\/13 16:29:44 info     general        general 0  counter flow_fwd_l3_noarp=753185\r\n192.168.8.250[29704]-->192.168.10.107[4]\r\nsess id 12976Packet info: len 102 port 19 tag 0 interface 260\r\nIP:     192.168.8.250->192.168.10.107, pro\r\n....\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
There we go. the ARP for 192.168.10.107 has disappeared, the packets cannot be forwarded\u2026 That was the reason for the counter value. We have catch that! \ud83d\ude42<\/p>\n
5. Delete your filter and set back to default<\/h4>\n
It is important to have a clear state for the next issue.<\/p>\n
\n\n\n\n
\n
> debug dataplane packet-diag clear all<\/strong>\r\nPacket diagnosis setting set to default.\r\n\r\n> debug dataplane packet-diag show setting<\/strong>\r\n--------------------------------------------------------------------------------\r\nPacket diagnosis setting:\r\n--------------------------------------------------------------------------------\r\nPacket filter\r\n  Enabled:                   no\r\n  Match pre-parsed packet:   no            \r\n--------------------------------------------------------------------------------\r\nLogging\r\n  Enabled:                   no\r\n  Log-throttle:              no\r\n  Sync-log-by-ticks:         yes            \r\n  Features:\r\n  Counters:\r\n--------------------------------------------------------------------------------\r\nPacket capture\r\n  Enabled:                   no\r\n  Snaplen:                   0            \r\n--------------------------------------------------------------------------------\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Done…<\/p>\n","protected":false},"excerpt":{"rendered":"
Logging traffic for global counters If you need GUI Tutorial goto Palo Alto page: https:\/\/live.paloaltonetworks.com\/docs\/DOC-3199 1. Lets look for a drop or error counter that currently counts bad packets This is an example with arp protocol. we are looking for some arp issues. Thats a tipical problem on networks\u2026 > show counter global filter value […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-600","post","type-post","status-publish","format-standard","hentry","category-geek","post-preview"],"_links":{"self":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=600"}],"version-history":[{"count":2,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/600\/revisions"}],"predecessor-version":[{"id":602,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/600\/revisions\/602"}],"wp:attachment":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}