Tag Archives: Capture

How to Create a PCAP packet capture on SRX Branch device



This article provides information on how to create a PCAP packet capture on a J-Series or SRX Branch device that can be read via Wireshark or Ethereal.

Problem or Goal:

From time to time, when troubleshooting, a packet capture is very useful. This is best accomplished by performing a sniffer capture, outside of the J-series or SRX device. However, in certain instances, having a PC or server inline for Ethereal/Wireshark or tcpdump captures may not be possible. So, the J-Series and SRX Branch devices (SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, and SRX650) can directly perform a packet capture.


  • Packet Capture can only capture IPv4 protocol traffic.


Instructions for configuring the Packet Capture can also be found via the following link:


To obtain the packet capture on branch SRX devices, perform the following procedure:

 For information on obtaining packet-captures on high-end SRX devices, refer to KB21563 – How to capture packets on High-End SRX devices.

Go into forwarding-options and then to packet-capture as below:

user@host# edit forwarding-options packet-capture

[edit forwarding-options packet-capture]

Specify a file name for the packet capture and set the maximum-capture-size to 1500 as below:

[edit forwarding-options packet-capture]
user@host# set file filename testpacketcapture

[edit forwarding-options packet-capture]
user@host# set maximum-capture-size 1500

[edit forwarding-options packet-capture]
user@host# show
file filename testpacketcapture;
maximum-capture-size 1500;

Decide which interface you want to monitor. (This must be a ethernet interface.) You can show your interfaces with the command: run show interfaces terse.

For this example, we will assume that we want to capture all traffic on interface ge-0/0/0.

Go to the top of your config by issuing the command: top. Then go into the interface unit family inet. (Packet-capture only works with family inet). Do this as below:

[edit forwarding-options packet-capture]
user@host# top

user@host# edit interfaces ge-0/0/0 unit 0 family inet

[edit interfaces ge-0/0/0 unit 0 family inet]

Next you choose the sampling direction that you want to sample. (In general you do both input and output in order to get all data.)

[edit interfaces ge-0/0/0 unit 0 family inet]
user@host# set sampling input output

[edit interfaces ge-0/0/0 unit 0 family inet]
user@host# show
sampling {

Commit to activate the packet capture:

[edit interfaces ge-0/0/0 unit 0 family inet]
user@host# commit and-quit

Once you commit, then pass the traffic that that needs to be captured. Deactivate or remove the above packet-capture and sampling configuration followed by a commit to stop the
packet-capture. The capture files are located in /var/tmp directory and are formatted in the PCAP format. You can find the files with the file list command.

user@host> file list /var/tmp/ | match testpacketcapture*

Upload the files from the /var/tmp directory to your desktop and view it through your PCAP application such as Wireshark or Ethereal.

Configuring a Firewall Filter for the Packet Capture (Optional)

Set the filter and term name, and define the match condition and its action.

set firewall filter dest-all term dest-term from destination-address
set firewall filter dest-all term dest-term then sample accept
set firewall filter dest-all term default-permit then accept

To apply the filter to the interface enter:

set interfaces fe-0/0/1 unit 0 family inet filter output dest-all

How to capture packets on High-End SRX devices

Juniper KB21563


This article provides a solution to the issue faced by most customers where they are unable to perform a packet capture on High-End devices and then read the file with third-party software.

Problem or Goal:

This article summarizes the procedure of how to capture packets on a High-End SRX device. This is applicable for the following devices :

  • SRX1400
  • SRX3400
  • SRX3600
  • SRX5600
  • SRX5800

For information on obtaining packet-captures on branch devices, refer to KB11709 – [SRX] How to Create a PCAP packet capture on a J-Series or SRX Branch device.

Note : This can also be applied to High-End Chassis Clusters .


To obtain packet capture on High-End SRX devices, perform the following procedure:

  1. Configure the datapath-debug on the device under the hierarchy: [edit security datapath-debug].
  1. Based on the exact requirements, you may need to trace only a certain type of traffic which can be configured used packet-filters.
  1. Specify maximum capture size (this is the maximum size captured per packet).
  1. Create an action-profile to specify where, inside the device, the packets will be captured (eg : LBT, MAC-ingress, and so on).
  1. Refer the previously created action-profile inside the configured packet-filter.
  1. Specify the name of the capture-file (the file which will contain the captured packets).

Sample Configuration:

root> show configuration security datapath-debug | no-more
traceoptions {
file debugtrace;
capture-file datapcap format pcap;
maximum-capture-size 1500;
action-profile {
flowtrace {
event pot {
event lbt {
packet-filter filter1 {
action-profile flowtrace;
protocol icmp;

  • In the above config, only the most relevant portions required for the solution are provided.
  • Packets will be dumped in the capture-file, only during processing in POT and LBT threads as per the above config.

Procedure for obtaining the captured packets:

After the config has been placed, remember to start the datapath-debug in the device. It does not start by itself.

To start the debug :

root> request security datapath-debug capture start

To stop the debug :

root> request security datapath-debug capture stop

Note :

  • Remember to stop the debug, after you are done with the capturing of data. If you attempt to open the capture files without stopping the debug, the files obtained cannot be opened through any third party software.
  • After the captures have been done, you will be able to view the packets on the CLI in HEX format using the command :

[edit] root> show security datapath-debug capture

If you would like to view the captured files in any third party software (eg. Tcpdump, Wireshark), then you will need to remove certain fields in each of the packets. The command is:

root@% e2einfo -Ccapture -Snormalize -I datapcap -F datapcap.pcap
sucessfully convert 124 packets

: The above command must be run inside shell and inside the ‘ /var/log ‘ directory. Here, the file that was configured under ‘security datapath-debug‘ is named ‘datapcap‘ and the packets in the captured files are extracted to the file ‘datapcap.pcap‘.
The files containing the captured data is under ‘/var/log’. You should be able to view the files (capture-file and the packet-capture file created) under the /var/log directory.

root> start shell
root@% cd /var/log
root@% ls -l
total 18964
-rw-r–r– 1 root wheel 80560 Apr 6 06:42 KR2
-rw-r—– 1 root wheel 774142 Apr 19 03:51 RPF-CHECK
-rw-r—– 1 root wheel 445638 Jun 21 11:48 RPF-CHECK-ON
-rw-r—– 1 root wheel 86453 Jun 2 20:31 RPF-CHECK-ON.0.gz
-rw-r–r– 1 root wheel 275 Jul 20 19:38 __jsrpd_commit_check__
-rw-r–r– 1 root wheel 0 Dec 21 2010 authd_sdb.log
-rw-r–r– 1 root wheel 0 Jul 27 21:43 capture.pcap
-rw-r—– 1 root wheel 1975225 Aug 3 21:31 chassisd
-rw-r—– 1 root wheel 203000 Jul 1 08:52 chassisd.0.gz
-rw-r—– 1 root wheel 195019 Jun 3 10:20 chassisd.1.gz
-rw-r—– 1 root wheel 191531 Jun 3 09:49 chassisd.2.gz
-rw-r—– 1 root wheel 194656 Jun 3 08:54 chassisd.3.gz
-rw-r–r– 1 root wheel 20835 Aug 3 21:23 cosd
-rw-r—– 1 root wheel 12672 Aug 3 21:34 datapcap
-rw-r–r– 1 root wheel 10440 Aug 3 21:36 datapcap.pcap
-rw-r—– 1 root wheel 979500 Aug 3 21:26 dcd
-rw-r—– 1 root wheel 28712 Jun 3 06:44 dcd.0.gz
-rw-r—– 1 root wheel 27720 Jun 3 00:52 dcd.1.gz
-rw-r—– 1 root wheel 41132 Aug 3 21:26 debugtrace



Related Links: