Juniper Networks - [SRX] Example - Creating a PCAP packet capture ... https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563&a...

Keywords or Article ID... ×

[SRX] Example - Creating a PCAP packet capture on high-end SRX devices

[KB21563] Show Article Properties

Back to Knowledge Search

SUMMARY:
Printer Friendly
This article explains how to create a packet capture on a high-end SRX device that can be read via Wireshark or Ethereal.
This also applies to high-end chassis clusters. PR Search

Create a Support Case

Note: The solution provided in this article is also documented more formally here: Example: Configuring End-to-End All Security Advisories
Debugging on SRX Series Device
Knowledge Center Feedback

Report a Security Vulnerability

SYMPTOMS:
Knowledge Search Help
The procedure in this article is applicable for the following devices:
SRX1400
SRX3400
SRX3600
SRX5400
SRX5600
SRX5800
For more information about obtaining packet captures on branch devices, refer to KB11709 - [SRX] How to Create a PCAP
packet capture on a J-Series or SRX Branch device.

SOLUTION:
Packet capture on high-end SRX devices is done with the help of the datapath-debug utility. Datapath debugging
provides tracing and debugging utilities for multiple processing units along the packet-processing path.
For more information about datapath-debug, refer to Understanding Data Path Debugging for SRX Series Devices.
WARNING: Datapath-debug should not be used in IPv6 environments when using hash-based session distribution with
Junos OS versions prior to Junos OS 15.1X49-D30.
The session distribution method in use can be located as follows:
root@SRX5K> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: Hash-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware

1. Edit the security datapath-debug option for the multiple processing units along the packet-processing path:

[edit]
user@host# edit security datapath-debug

2. Enable the capture file, file format, file size, and number of files. The size number limits the size of the capture file.
After the size limit is reached, if the file number is specified, then the capture file will be rotated to filename x,
where x is auto-incremented until it reaches the specified index, and then returns to zero. If no file index is
specified, the packets will be discarded after the size limit is reached. The default size is 512 bytes.

[edit security datapath-debug]

user@host# set capture-file my-capture format pcap size 1m files 5

[edit security datapath-debug]

user@host# set maximum-capture-size 1500

3. Enable an action profile with packet-dump for both np-ingress and np-egress.

[edit security datapath-debug]

user@host# set action-profile do-capture event np-egress packet-dump

[edit security datapath-debug]

user@host# set action-profile do-capture event np-ingress packet-dump

4. Enable the packet filter, action, and filter options. The packet filter is set to my-filter, and the action profile is set
to do-capture. In packet-filter, different match criteria can be provided to capture specific traffic.

[edit security datapath-debug]

user@host# set packet-filter my-filter action-profile do-capture

1 of 2 7/29/2019, 3:50 PM
Juniper Networks - [SRX] Example - Creating a PCAP packet capture ... https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563&a...

[edit security datapath-debug]

user@host# set packet-filter my-filter source-prefix 1.2.3.4/32
Other packet filter options are also available:
[edit security datapath-debug]
user@host# set packet-filter my-filter ?
....
destination-port Match TCP/UDP destination port
destination-prefix Destination IPv4/IPv6 address prefix
interface Logical interface
protocol Match IP protocol type
source-port Match TCP/UDP source port
source-prefix Source IPv4/IPv6 address prefix
Note: Be sure to configure multiple packet filters to capture traffic. One packet filter may capture traffic only as specified in
it, such as from one source to one destination. The same packet filter will not capture traffic in the reverse direction. You
need to configure another packet filter to capture traffic in the reverse direction and specify the source and destination
according to the response packet in it.
Procedure for obtaining captured packets
When the configuration is complete, start the datapath-debug utility in the device. Note that capture does not start by
itself; you must manually start it.
To start the debug:

user@host> request security datapath-debug capture start

To stop the debug:

user@host> request security datapath-debug capture stop

Remember to stop the debug process after you have finished capturing data. If you attempt to open the captured files
without stopping the debug process, the files obtained cannot be opened through any third-party software.
After the captures are complete, you will be able to view the packets in the Command Line Interface (CLI) in HEX
format by using the following command:
user@host> show security datapath-debug capture
If you would like to view the captured files in any third-party software (for example, Tcpdump, Wireshark), then you
will need to remove certain fields in each of the packets. You need to log in as the root user to change the format.
The following command must be run inside the shell and inside the /var/log directory. Here, the file that was
configured under security datapath-debug is named my-capture, and the packets in the captured files are
extracted to the file my-capture.pcap.
user@host> start shell
user@host% su
Password :
root% pwd
If you are not in /var/log;
root@% cd /var/log
root@% e2einfo -Ccapture -Snormalize -I my-capture -F my-capture.pcap
successfully convert 124 packets
The files containing the captured data are under /var/log. View the files (capture-file and the packet-capture
file created) under the /var/log directory.
root@% cd /var/log
root@% ls -l
total 18964
-rw-r--r-- 1 root wheel 80560 Apr 6 06:42 KR2
-rw-r----- 1 root wheel 774142 Apr 19 03:51 RPF-CHECK
-rw-r----- 1 root wheel 445638 Jun 21 11:48 RPF-CHECK-ON
-rw-r----- 1 root wheel 86453 Jun 2 20:31 RPF-CHECK-ON.0.gz
-rw-r--r-- 1 root wheel 275 Jul 20 19:38 __jsrpd_commit_check__
-rw-r--r-- 1 root wheel 0 Dec 21 2010 authd_sdb.log
-rw-r--r-- 1 root wheel 0 Jul 27 21:43 capture.pcap
-rw-r----- 1 root wheel 1975225 Aug 3 21:31 chassisd
-rw-r----- 1 root wheel 203000 Jul 1 08:52 chassisd.0.gz
-rw-r----- 1 root wheel 195019 Jun 3 10:20 chassisd.1.gz
-rw-r----- 1 root wheel 191531 Jun 3 09:49 chassisd.2.gz
-rw-r----- 1 root wheel 194656 Jun 3 08:54 chassisd.3.gz
-rw-r--r-- 1 root wheel 20835 Aug 3 21:23 cosd
-rw-r----- 1 root wheel 12672 Aug 3 21:34 datapcap
-rw-r--r-- 1 root wheel 10440 Aug 3 21:36 datapcap.pcap
-rw-r----- 1 root wheel 979500 Aug 3 21:26 dcd
-rw-r----- 1 root wheel 28712 Jun 3 06:44 dcd.0.gz
-rw-r----- 1 root wheel 27720 Jun 3 00:52 dcd.1.gz
-rw-r----- 1 root wheel 41132 Aug 3 21:26 debugtrace
When troubleshooting is finished, remove all traceoptions configurations (not limited to flow traceoptions) and the
complete datapath-debug configuration. If any part of the debugging configuration remains active, it will continue using
the resources of the device (CPU/memory).

MODIFICATION HISTORY:
2018-10-11: Command corrected in Solution section to root@% e2einfo -Ccapture -Snormalize -I my-
capture -F my-capture.pcap.
2018-09-24: Updated IPv6 limitation warning, which was corrected in 15.1X49+D30+ and reviewed article for clarity and
accuracy
2017-04-16: Added link to this example now documented in the technical documentation too.

RELATED LINKS:
KB15779 - SRX Getting Started - Troubleshooting Commands

2 of 2 7/29/2019, 3:50 PM