fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Running a packet capture on a Juniper SRX

Within this article we show you the required steps for obtaining a packet capture on your SRX series firewall.

Note : Great care should be taken when applying captures to ensure that only the traffic that you want to capture is defined within the firewall filter. This is to prevent any unnecessary load being placed onto the resources of your firewall.

Configure

set forwarding-options packet-capture file filename pcap files 10 size 10000
set forwarding-options packet-capture maximum-capture-size 1500

set interfaces fe-0/0/0 unit 0 family inet filter input PCAP
set interfaces fe-0/0/0 unit 0 family inet filter output PCAP

set firewall filter PCAP term FF1 from source-address 172.16.1.0/24
set firewall filter PCAP term FF1 from destination-address 10.1.1.100/32
set firewall filter PCAP term FF1 then sample
set firewall filter PCAP term FF1 then accept
set firewall filter PCAP term FF2 from source-address 10.1.1.110/32
set firewall filter PCAP term FF2 from destination-address 172.16.1.0/24
set firewall filter PCAP term FF2 then sample
set firewall filter PCAP term FF2 then accept
set firewall filter PCAP term allow-all-else then accept

Display Capture

root@srx100> start shell
root@srx100% cd /var/tmp/
root@srx100% tcpdump -r pcap.fe-0.0.0
Reverse lookup for 172.16.1.11 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

20:21:21.342058  In IP 172.16.1.11.9058 > 172.16.1.1.ssh: P 987275121:987275173(52) ack 1326283353 win 4109
20:21:22.252458 Out IP 172.16.1.1.ssh > 172.16.1.11.9058: P 1:53(52) ack 52 win 32900
20:21:22.252721  In IP 172.16.1.11 > vnsc-bak.sys.gtei.net: ICMP echo request, id 1, seq 1095, length 40
20:21:22.252853 Out IP vnsc-bak.sys.gtei.net > 172.16.1.11: ICMP echo reply, id 1, seq 1095, length 40

Remove

root@srx100# delete interfaces fe-0/0/0 unit 0 family inet filter input PCAP
root@srx100# delete interfaces fe-0/0/0 unit 0 family inet filter output PCAP
root@srx100# delete firewall filter PCAP
root@srx100# delete forwarding-options packet-capture

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001