HOW TO: run a packet capture on a Juniper SRX?

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/how-to-run-a-packet-capture-on-a-juniper-srx/
RSS
Follow by Email

This article provides instructions on how to configure and remove a packet capture for IPv4 traffic, on a J-Series or SRX Branch devices (SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, SRX650, SRX300 series, SRX1500), that can be read via Wireshark or Ethereal.

Configure forwarding options:
[email protected]# set forwarding-options packet-capture file filename PCAP files 5 size 10000
[email protected]# set forwarding-options packet-capture maximum-capture-size 1500
Configure firewall filter for packet capture:
[email protected]# set firewall filter PCAP-FF term 1 from source-address 10.10.10.1
[email protected]# set firewall filter PCAP-FF term 1 from destination-address 30.30.30.1
[email protected]# set firewall filter PCAP-FF term 1 then sample 
[email protected]# set firewall filter PCAP-FF term 1 then accept 

[email protected]# set firewall filter PCAP-FF term 2 from source-address 10.10.10.1
[email protected]# set firewall filter PCAP-FF term 2 from destination-address 30.30.30.3
[email protected]# set firewall filter PCAP-FF term 2 then sample 
[email protected]# set firewall filter PCAP-FF term 2 then accept 

[email protected]# set firewall filter PCAP-FF term allow-all-else then accept
Warning!
Don’t forget that last command to accept all other traffic or else you will end up denying all traffic passing through the interface once you apply the filter to the interface.
Apply firewall filter to the interface:
[email protected]# set interfaces ge-0/0/3 unit 0 family inet filter output PCAP-FF
[email protected]# set interfaces ge-0/0/3 unit 0 family inet filter input PCAP-FF
Commit
[email protected]# commit
Display the capture:
To find the capureted file, run following command. 

[email protected]> file list /var/tmp/ | match PCAP*   
PCAP.ge-0.0.3

To view the capture in real time

[email protected]> start shell
% cd /var/tmp/
% tcpdump -r PCAP.ge-0.0.3

NOTE: Type cli from shell mode to go back to the operational mode once you are done with packet capture.

To remove the capture:
If you haven't made any other changes and want to delete the packet capture then use this method:

[email protected]# rollback 1

If you have made multiple changes and ONLY want to delete the packet capture then use this method:

[email protected]# delete interfaces ge-0/0/3 unit 0 family inet filter input PCAP-FF
[email protected]# delete interfaces ge-0/0/3 unit 0 family inet filter output PCAP-FF
[email protected]# delete firewall filter PCAP-FF
[email protected]# delete forwarding-options packet-capture
[email protected]# commit

I hope you enjoyed this article. Please feel free to leave a comment or feedback.

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/how-to-run-a-packet-capture-on-a-juniper-srx/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)