How to Create a PCAP packet capture on SRX Branch device

The estimated reading time for this post is 2 minutes

KB11709

Summary:

This article provides information on how to create a PCAP packet capture on a J-Series or SRX Branch device that can be read via Wireshark or Ethereal.

Problem or Goal:

From time to time, when troubleshooting, a packet capture is very useful. This is best accomplished by performing a sniffer capture, outside of the J-series or SRX device. However, in certain instances, having a PC or server inline for Ethereal/Wireshark or tcpdump captures may not be possible. So, the J-Series and SRX Branch devices (SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, and SRX650) can directly perform a packet capture.

Note:

  • Packet Capture can only capture IPv4 protocol traffic.

Solution:

Instructions for configuring the Packet Capture can also be found via the following link:

http://www.juniper.net/techpubs/en_US/junos/topics/usage-guidelines/policy-configuring-packet-capture.html

To obtain the packet capture on branch SRX devices, perform the following procedure:

Note:
 For information on obtaining packet-captures on high-end SRX devices, refer to KB21563 – How to capture packets on High-End SRX devices.

Go into forwarding-options and then to packet-capture as below:

[edit]
user@host# edit forwarding-options packet-capture

[edit forwarding-options packet-capture]
user@host#

Specify a file name for the packet capture and set the maximum-capture-size to 1500 as below:

[edit forwarding-options packet-capture]
user@host# set file filename testpacketcapture

[edit forwarding-options packet-capture]
user@host# set maximum-capture-size 1500

[edit forwarding-options packet-capture]
user@host# show
file filename testpacketcapture;
maximum-capture-size 1500;

Decide which interface you want to monitor. (This must be a ethernet interface.) You can show your interfaces with the command: run show interfaces terse.

For this example, we will assume that we want to capture all traffic on interface ge-0/0/0.

Go to the top of your config by issuing the command: top. Then go into the interface unit family inet. (Packet-capture only works with family inet). Do this as below:

[edit forwarding-options packet-capture]
user@host# top

[edit]
user@host# edit interfaces ge-0/0/0 unit 0 family inet

[edit interfaces ge-0/0/0 unit 0 family inet]
user@host#

Next you choose the sampling direction that you want to sample. (In general you do both input and output in order to get all data.)

[edit interfaces ge-0/0/0 unit 0 family inet]
user@host# set sampling input output

[edit interfaces ge-0/0/0 unit 0 family inet]
user@host# show
sampling {
input;
output;
}

Commit to activate the packet capture:

[edit interfaces ge-0/0/0 unit 0 family inet]
user@host# commit and-quit

Once you commit, then pass the traffic that that needs to be captured. Deactivate or remove the above packet-capture and sampling configuration followed by a commit to stop the
packet-capture. The capture files are located in /var/tmp directory and are formatted in the PCAP format. You can find the files with the file list command.

user@host> file list /var/tmp/ | match testpacketcapture*
testpacketcapture.ge-0.0.0

Upload the files from the /var/tmp directory to your desktop and view it through your PCAP application such as Wireshark or Ethereal.

Configuring a Firewall Filter for the Packet Capture (Optional)

Set the filter and term name, and define the match condition and its action.

set firewall filter dest-all term dest-term from destination-address 192.168.1.1/32
set firewall filter dest-all term dest-term then sample accept
set firewall filter dest-all term default-permit then accept

To apply the filter to the interface enter:

set interfaces fe-0/0/1 unit 0 family inet filter output dest-all