Run a packet capture on a Juniper SRX

This article provides instructions on how to configure and remove a packet capture for IPv4 traffic, on a J-Series or SRX Branch devices (SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, SRX650, SRX300 series, SRX1500), that can be read via Wireshark or Ethereal.
Configure forwarding options:
user@host# set forwarding-options packet-capture file filename PCAP files 5 size 10000
user@host# set forwarding-options packet-capture maximum-capture-size 1500
Configure firewall filter for packet capture:
user@host# set firewall filter PCAP-FF term 1 from source-address 10.10.10.1
user@host# set firewall filter PCAP-FF term 1 from destination-address 30.30.30.1
user@host# set firewall filter PCAP-FF term 1 then sample
user@host# set firewall filter PCAP-FF term 1 then accept

user@host# set firewall filter PCAP-FF term 2 from source-address 10.10.10.1
user@host# set firewall filter PCAP-FF term 2 from destination-address 30.30.30.3
user@host# set firewall filter PCAP-FF term 2 then sample
user@host# set firewall filter PCAP-FF term 2 then accept

user@host# set firewall filter PCAP-FF term allow-all-else then accept
Warning!
Don’t forget that last command to accept all other traffic or else you will end up denying all traffic passing through the interface once you apply the filter to the interface.
Apply firewall filter to the interface:
user@host# set interfaces ge-0/0/3 unit 0 family inet filter output PCAP-FF
user@host# set interfaces ge-0/0/3 unit 0 family inet filter input PCAP-FF
Commit
user@host# commit
Display the capture:
To find the capureted file, run following command.

user@host> file list /var/tmp/ | match PCAP*
PCAP.ge-0.0.3

To view the capture in real time

user@host> start shell
% cd /var/tmp/
% tcpdump -r PCAP.ge-0.0.3
NOTE: Type cli from shell mode to go back to the operational mode once you are done with packet capture.

To remove the capture:
If you haven’t made any other changes and want to delete the packet capture then use this method:

user@host# rollback 1

If you have made multiple changes and ONLY want to delete the packet capture then use this method:

user@host# delete interfaces ge-0/0/3 unit 0 family inet filter input PCAP-FF
user@host# delete interfaces ge-0/0/3 unit 0 family inet filter output PCAP-FF
user@host# delete firewall filter PCAP-FF
user@host# delete forwarding-options packet-capture
user@host# commit
I hope you enjoyed this article. Please feel free to leave a comment or feedback.