Run a packet capture on a Juniper SRX

This article provides instructions on how to configure and remove a packet capture for IPv4 traffic, on a J-Series or SRX Branch devices (SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, SRX650, SRX300 series, SRX1500), that can be read via Wireshark or Ethereal.
Configure forwarding options:
user@host# set forwarding-options packet-capture file filename PCAP files 5 size 10000
user@host# set forwarding-options packet-capture maximum-capture-size 1500
Configure firewall filter for packet capture:
user@host# set firewall filter PCAP-FF term 1 from source-address 10.10.10.1
user@host# set firewall filter PCAP-FF term 1 from destination-address 30.30.30.1
user@host# set firewall filter PCAP-FF term 1 then sample
user@host# set firewall filter PCAP-FF term 1 then accept

user@host# set firewall filter PCAP-FF term 2 from source-address 10.10.10.1
user@host# set firewall filter PCAP-FF term 2 from destination-address 30.30.30.3
user@host# set firewall filter PCAP-FF term 2 then sample
user@host# set firewall filter PCAP-FF term 2 then accept

user@host# set firewall filter PCAP-FF term allow-all-else then accept
Warning!
Don’t forget that last command to accept all other traffic or else you will end up denying all traffic passing through the interface once you apply the filter to the interface.
Apply firewall filter to the interface:
user@host# set interfaces ge-0/0/3 unit 0 family inet filter output PCAP-FF
user@host# set interfaces ge-0/0/3 unit 0 family inet filter input PCAP-FF
Commit
user@host# commit
Display the capture:
To find the capureted file, run following command.

user@host> file list /var/tmp/ | match PCAP*
PCAP.ge-0.0.3

To view the capture in real time

user@host> start shell
% cd /var/tmp/
% tcpdump -r PCAP.ge-0.0.3
NOTE: Type cli from shell mode to go back to the operational mode once you are done with packet capture.

To remove the capture:
If you haven’t made any other changes and want to delete the packet capture then use this method:

user@host# rollback 1

If you have made multiple changes and ONLY want to delete the packet capture then use this method:

user@host# delete interfaces ge-0/0/3 unit 0 family inet filter input PCAP-FF
user@host# delete interfaces ge-0/0/3 unit 0 family inet filter output PCAP-FF
user@host# delete firewall filter PCAP-FF
user@host# delete forwarding-options packet-capture
user@host# commit
I hope you enjoyed this article. Please feel free to leave a comment or feedback.

Bài liên quan

Juniper SRX IPsec LAN-to-LAN VPN Part 1

Configure Redistribution between RIP and OSPF in Cisco IOS Router

Configuration of Link Aggregation Control Protocol (LACP) with Vmware ESXi/ESX and Dell Switches

Configure Static NAT in Cisco IOS Router

Configure Dynamic NAT in Cisco IOS Router

Configure a Cisco Router as a PPPoE Client for DSL connectivity using CLI

EdgeRouter – Site-to-Site IPsec VPN to Juniper SRX

Juniper SRX High Availability Basics

Cấu hình Access-list (ACLs) trên thiết bị Cisco

Configure Filter Based Load Balancing in Juniper SRX

Configure SRX Mode to Packet Mode from Flow Mode

Load Balance Dual ISP Internet in Juniper SRX

Understanding the control plane protection using firewall-filters on Juniper SRX

Secure Spanning-tree on Cisco IOS switches

Block TOR Application in Juniper SRX

Redistribute BGP Route into OSPF in Cisco IOS Router

Configure PAgP EtherChannel in Cisco IOS Switch

Juniper SRX IPsec LAN-to-LAN VPN Part 2

Configure iBGP in Cisco IOS Router

Configuring a Policy-Based VPN Site to Site SRX Series and SSG Series

Cisco Juniper Commands

Configure IPSec VPN With Dynamic IP in Cisco IOS Router

SRX HA Modes

Chassis Cluster Configuration on Juniper SRX-1500 firewalls

Configure Dynamic Port Address Translations (PAT) in Cisco IOS Router

prev next