{"id":640,"date":"2012-02-06T20:26:51","date_gmt":"2012-02-06T20:26:51","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2012\/02\/06\/running-a-packet-capture-on-a-juniper-srx\/"},"modified":"2021-07-24T18:20:02","modified_gmt":"2021-07-24T18:20:02","slug":"running-a-packet-capture-on-a-juniper-srx","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Juniper\/running-a-packet-capture-on-a-juniper-srx.html","title":{"rendered":"Running a packet capture on a Juniper SRX"},"content":{"rendered":"
Within this article we show you the required steps for obtaining a packet capture on your SRX series firewall.<\/p>\n
Note<\/em> :<\/strong> Great care should be taken when applying captures to ensure that only the traffic that you want to capture is defined within the firewall filter. This is to prevent any unnecessary load being placed onto the resources of your firewall.<\/p>\n set forwarding-options packet-capture file filename pcap files 10 size 10000 set interfaces fe-0\/0\/0 unit 0 family inet filter input PCAP set firewall filter PCAP term FF1 from source-address 172.16.1.0\/24<\/span> root@srx100> start shell 20:21:21.342058 In IP 172.16.1.11.9058 > 172.16.1.1.ssh: P 987275121:987275173(52) ack 1326283353 win 4109 root@srx100# delete interfaces fe-0\/0\/0 unit 0 family inet filter input PCAP Within this article we show you the required steps for obtaining a packet capture on your SRX series firewall. Note : Great care should be taken when applying captures to ensure that only the traffic that you want to capture is defined within the firewall filter. This is to prevent any unnecessary load being placed … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[],"yoast_head":"\nConfigure<\/strong><\/h3>\n
set forwarding-options packet-capture maximum-capture-size 1500<\/p>\n
set interfaces fe-0\/0\/0 unit 0 family inet filter output PCAP<\/p>\nset firewall filter PCAP term FF1 from destination-address 10.1.1.100\/32<\/code><\/span>
set firewall filter PCAP term FF1 then sample<\/span>
set firewall filter PCAP term FF1 then accept<\/span>
set firewall filter PCAP term FF2 from source-address 10.1.1.110\/32<\/span>
set firewall filter PCAP term FF2 from destination-address 172.16.1.0\/24<\/span>
set firewall filter PCAP term FF2 then sample<\/span>
set firewall filter PCAP term FF2 then accept<\/span>
set firewall filter PCAP term allow-all-else then accept<\/span><\/p>\nDisplay Capture<\/strong><\/h3>\n
root@srx100% cd \/var\/tmp\/
root@srx100% tcpdump -r pcap.fe-0.0.0
Reverse lookup for 172.16.1.11 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.<\/p>\n
20:21:22.252458 Out IP 172.16.1.1.ssh > 172.16.1.11.9058: P 1:53(52) ack 52 win 32900
20:21:22.252721 In IP 172.16.1.11 > vnsc-bak.sys.gtei.net: ICMP echo request, id 1, seq 1095, length 40
20:21:22.252853 Out IP vnsc-bak.sys.gtei.net > 172.16.1.11: ICMP echo reply, id 1, seq 1095, length 40<\/p>\nRemove<\/strong><\/h3>\n
root@srx100# delete interfaces fe-0\/0\/0 unit 0 family inet filter output PCAP
root@srx100# delete firewall filter PCAP
root@srx100# delete forwarding-options packet-capture<\/p>\n","protected":false},"excerpt":{"rendered":"