Running a packet capture on a Juniper SRX

Within this article we show you the required steps for obtaining a packet capture on your SRX series firewall.

Note : Great care should be taken when applying captures to ensure that only the traffic that you want to capture is defined within the firewall filter. This is to prevent any unnecessary load being placed onto the resources of your firewall.

Configure

set forwarding-options packet-capture file filename pcap files 10 size 10000
set forwarding-options packet-capture maximum-capture-size 1500

set interfaces fe-0/0/0 unit 0 family inet filter input PCAP
set interfaces fe-0/0/0 unit 0 family inet filter output PCAP

set firewall filter PCAP term FF1 from source-address 172.16.1.0/24
set firewall filter PCAP term FF1 from destination-address 10.1.1.100/32
set firewall filter PCAP term FF1 then sample
set firewall filter PCAP term FF1 then accept
set firewall filter PCAP term FF2 from source-address 10.1.1.110/32
set firewall filter PCAP term FF2 from destination-address 172.16.1.0/24
set firewall filter PCAP term FF2 then sample
set firewall filter PCAP term FF2 then accept
set firewall filter PCAP term allow-all-else then accept

Display Capture

[email protected]> start shell
[email protected]% cd /var/tmp/
[email protected]% tcpdump -r pcap.fe-0.0.0
Reverse lookup for 172.16.1.11 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

20:21:21.342058  In IP 172.16.1.11.9058 > 172.16.1.1.ssh: P 987275121:987275173(52) ack 1326283353 win 4109
20:21:22.252458 Out IP 172.16.1.1.ssh > 172.16.1.11.9058: P 1:53(52) ack 52 win 32900
20:21:22.252721  In IP 172.16.1.11 > vnsc-bak.sys.gtei.net: ICMP echo request, id 1, seq 1095, length 40
20:21:22.252853 Out IP vnsc-bak.sys.gtei.net > 172.16.1.11: ICMP echo reply, id 1, seq 1095, length 40

Remove

[email protected]# delete interfaces fe-0/0/0 unit 0 family inet filter input PCAP
[email protected]# delete interfaces fe-0/0/0 unit 0 family inet filter output PCAP
[email protected]# delete firewall filter PCAP
[email protected]# delete forwarding-options packet-capture

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial