Run a packet capture on a Juniper SRX

This article provides instructions on how to configure and remove a packet capture for IPv4 traffic, on a J-Series or SRX Branch devices (SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, SRX650, SRX300 series, SRX1500), that can be read via Wireshark or Ethereal.
Configure forwarding options:
user@host# set forwarding-options packet-capture file filename PCAP files 5 size 10000
user@host# set forwarding-options packet-capture maximum-capture-size 1500
Configure firewall filter for packet capture:
user@host# set firewall filter PCAP-FF term 1 from source-address 10.10.10.1
user@host# set firewall filter PCAP-FF term 1 from destination-address 30.30.30.1
user@host# set firewall filter PCAP-FF term 1 then sample
user@host# set firewall filter PCAP-FF term 1 then accept

user@host# set firewall filter PCAP-FF term 2 from source-address 10.10.10.1
user@host# set firewall filter PCAP-FF term 2 from destination-address 30.30.30.3
user@host# set firewall filter PCAP-FF term 2 then sample
user@host# set firewall filter PCAP-FF term 2 then accept

user@host# set firewall filter PCAP-FF term allow-all-else then accept
Warning!
Don’t forget that last command to accept all other traffic or else you will end up denying all traffic passing through the interface once you apply the filter to the interface.
Apply firewall filter to the interface:
user@host# set interfaces ge-0/0/3 unit 0 family inet filter output PCAP-FF
user@host# set interfaces ge-0/0/3 unit 0 family inet filter input PCAP-FF
Commit
user@host# commit
Display the capture:
To find the capureted file, run following command.

user@host> file list /var/tmp/ | match PCAP*
PCAP.ge-0.0.3

To view the capture in real time

user@host> start shell
% cd /var/tmp/
% tcpdump -r PCAP.ge-0.0.3
NOTE: Type cli from shell mode to go back to the operational mode once you are done with packet capture.

To remove the capture:
If you haven’t made any other changes and want to delete the packet capture then use this method:

user@host# rollback 1

If you have made multiple changes and ONLY want to delete the packet capture then use this method:

user@host# delete interfaces ge-0/0/3 unit 0 family inet filter input PCAP-FF
user@host# delete interfaces ge-0/0/3 unit 0 family inet filter output PCAP-FF
user@host# delete firewall filter PCAP-FF
user@host# delete forwarding-options packet-capture
user@host# commit
I hope you enjoyed this article. Please feel free to leave a comment or feedback.

Bài liên quan

Understanding the control plane protection using firewall-filters on Juniper SRX

Redistribute BGP Route into OSPF in Cisco IOS Router

Configure Reth Interface in Junos (SRX)

Configure Proxy ARP in Juniper SRX Gateway

Distribute Static Route via OSPF in Cisco IOS Router

Understanding VLAN Trunking Protocol (VTP) in Cisco Switch

Configure DHCP Server for Multiple VLANs in JunOS

Configure a Cisco Router as a PPPoE Client for DSL connectivity using CLI

Secure Spanning-tree on Cisco IOS switches

Tìm hiểu về IP Access Control Lists trên router Cisco

SRX HA Modes

LINK AGGREGATION – PART 3 (LACP CONFIGURATION ON JUNIPER DEVICES)

Configure SRX Mode to Packet Mode from Flow Mode

LINK AGGREGATION – PART 4 (LAG CONFIGURATION ON ALCATEL-LUCENT DEVICES)

Redistribute OSPF Route into BGP in Cisco IOS Router

Configure IPSec VPN With Dynamic IP in Cisco IOS Router

LACP Configuration on Cisco Devices – Part 2

Configuration of Link Aggregation Control Protocol (LACP) with Vmware ESXi/ESX and Dell Switches

Juniper Commands to monitor Network System for Network Admin

Cisco Juniper Commands

Block TOR Application in Juniper SRX

VLAN Difference between Juniper and Cisco Switches

Understanding VLANs in Switching World

Juniper SRX IPsec LAN-to-LAN VPN Part 1

Juniper SRX High Availability Basics

prev next