How to capture packets on High-End SRX devices

The estimated reading time for this post is 3 minutes

Juniper KB21563


This article provides a solution to the issue faced by most customers where they are unable to perform a packet capture on High-End devices and then read the file with third-party software.

Problem or Goal:

This article summarizes the procedure of how to capture packets on a High-End SRX device. This is applicable for the following devices :

  • SRX1400
  • SRX3400
  • SRX3600
  • SRX5600
  • SRX5800

For information on obtaining packet-captures on branch devices, refer to KB11709 – [SRX] How to Create a PCAP packet capture on a J-Series or SRX Branch device.

Note : This can also be applied to High-End Chassis Clusters .


To obtain packet capture on High-End SRX devices, perform the following procedure:

  1. Configure the datapath-debug on the device under the hierarchy: [edit security datapath-debug].
  1. Based on the exact requirements, you may need to trace only a certain type of traffic which can be configured used packet-filters.
  1. Specify maximum capture size (this is the maximum size captured per packet).
  1. Create an action-profile to specify where, inside the device, the packets will be captured (eg : LBT, MAC-ingress, and so on).
  1. Refer the previously created action-profile inside the configured packet-filter.
  1. Specify the name of the capture-file (the file which will contain the captured packets).

Sample Configuration:

root> show configuration security datapath-debug | no-more
traceoptions {
file debugtrace;
capture-file datapcap format pcap;
maximum-capture-size 1500;
action-profile {
flowtrace {
event pot {
event lbt {
packet-filter filter1 {
action-profile flowtrace;
protocol icmp;

  • In the above config, only the most relevant portions required for the solution are provided.
  • Packets will be dumped in the capture-file, only during processing in POT and LBT threads as per the above config.

Procedure for obtaining the captured packets:

After the config has been placed, remember to start the datapath-debug in the device. It does not start by itself.

To start the debug :

root> request security datapath-debug capture start

To stop the debug :

root> request security datapath-debug capture stop

Note :

  • Remember to stop the debug, after you are done with the capturing of data. If you attempt to open the capture files without stopping the debug, the files obtained cannot be opened through any third party software.
  • After the captures have been done, you will be able to view the packets on the CLI in HEX format using the command :

[edit] root> show security datapath-debug capture

If you would like to view the captured files in any third party software (eg. Tcpdump, Wireshark), then you will need to remove certain fields in each of the packets. The command is:

root@% e2einfo -Ccapture -Snormalize -I datapcap -F datapcap.pcap
sucessfully convert 124 packets

: The above command must be run inside shell and inside the ‘ /var/log ‘ directory. Here, the file that was configured under ‘security datapath-debug‘ is named ‘datapcap‘ and the packets in the captured files are extracted to the file ‘datapcap.pcap‘.
The files containing the captured data is under ‘/var/log’. You should be able to view the files (capture-file and the packet-capture file created) under the /var/log directory.

root> start shell
root@% cd /var/log
root@% ls -l
total 18964
-rw-r–r– 1 root wheel 80560 Apr 6 06:42 KR2
-rw-r—– 1 root wheel 774142 Apr 19 03:51 RPF-CHECK
-rw-r—– 1 root wheel 445638 Jun 21 11:48 RPF-CHECK-ON
-rw-r—– 1 root wheel 86453 Jun 2 20:31 RPF-CHECK-ON.0.gz
-rw-r–r– 1 root wheel 275 Jul 20 19:38 __jsrpd_commit_check__
-rw-r–r– 1 root wheel 0 Dec 21 2010 authd_sdb.log
-rw-r–r– 1 root wheel 0 Jul 27 21:43 capture.pcap
-rw-r—– 1 root wheel 1975225 Aug 3 21:31 chassisd
-rw-r—– 1 root wheel 203000 Jul 1 08:52 chassisd.0.gz
-rw-r—– 1 root wheel 195019 Jun 3 10:20 chassisd.1.gz
-rw-r—– 1 root wheel 191531 Jun 3 09:49 chassisd.2.gz
-rw-r—– 1 root wheel 194656 Jun 3 08:54 chassisd.3.gz
-rw-r–r– 1 root wheel 20835 Aug 3 21:23 cosd
-rw-r—– 1 root wheel 12672 Aug 3 21:34 datapcap
-rw-r–r– 1 root wheel 10440 Aug 3 21:36 datapcap.pcap
-rw-r—– 1 root wheel 979500 Aug 3 21:26 dcd
-rw-r—– 1 root wheel 28712 Jun 3 06:44 dcd.0.gz
-rw-r—– 1 root wheel 27720 Jun 3 00:52 dcd.1.gz
-rw-r—– 1 root wheel 41132 Aug 3 21:26 debugtrace



Related Links: