Monday, August 15, 2011

Packet Capture for transit traffic through the SRX


From time to time while troubleshooting, a packet capture is very useful. This is best accomplished by performing sniffer capture on the Network, However there are instances where having a PC or server inline for Ethereal/Wireshark or tcpdump captures may not be possible.

Follow the below mentioned procedure to a packet capture directly on the J-Series and SRX Branch devices (SRX100, SRX210, SRX220, SRX240, SRX650).



Go into forwarding-options and then to packet-capture as below:
[edit]
root@host# edit forwarding-options packet-capture

[edit forwarding-options packet-capture]
root@host#


Specify a file name for the packet capture and set the maximum-capture-size to 1500, file size as 15000 and number of files as 2:
[edit forwarding-options packet-capture]
root@host# set file filename packet_capture files 2 size 15000

[edit forwarding-options packet-capture]
root@host# set maximum-capture-size 1500

[edit forwarding-options packet-capture]
root@host# show
file filename packet_capture files 2 size 15000;
maximum-capture-size 1500;


Decide which interface you want to monitor. (This must be a ethernet interface.) You can show your interfaces with the command: run show interfaces terse. For this example, we will assume that we want to capture all traffic on interface ge-0/0/0.0

Set the filter and term name, and define the match condition and its action, in this example we are going to capture the packet for 10.221.227.5 in both the ways inbound & outbound


root@host#set firewall filter packet_filter term inbound-term from source-address 10.221.227.5/32
root@host#set firewall filter packet_filter term inbound-term then sample accept
root@host#set firewall filter packet_filter term outbound-term from destination-address 10.221.227.5/32
root@host#set firewall filter packet_filter term outbound-term then sample accept
root@host#set firewall filter packet_filter term default-permit then accept


To apply the filter to the interface enter:
[edit interfaces ge-0/0/0 unit 0 family inet]
root@host#set interfaces ge-0/0/0 unit 0 family inet filter input packet_filter
root@host#set interfaces ge-0/0/0 unit 0 family inet filter output packet_filter


Commit to activate the packet capture:
[edit interfaces ge-0/0/0 unit 0 family inet]
user@host# commit


Once you commit, then pass the traffic that that needs to be captured. Deactivate or remove the above packet-capture and configuration followed by a commit to stop the packet-capture. The capture files are located in /var/tmp directory and are formatted in the PCAP format. You can find 
the files with the file list command.

user@host> file list /var/tmp/ | match packet_capture*
packet_capture.ge-0.0.0


Do a Secure copy [scp] and copy the file to your desktop and open it through your PCAP application such as Wireshark or Ethereal for analisys.

Packet capture in SRX



Packet capture config


[edit forwarding-options packet-capture]
root@srx210#show
file filename packet_capture files 2 size 5000;
maximum-capture-size 1500;


[edit firewall filter packet_filter]
root@srx210#show
term inbound-term {
      from {
            source-address {
                   10.221.227.5/32;
            }
      }
      then {
           sample;
           accept;
      }
}
term outbound-term {
       from {
             destination-address {
                   10.221.227.5/32;
             }
       }
       then {
             sample;
             accept;
       }
}
term default-permit {
       then accept;
}


[edit interfaces ge-0/0/0 unit 0 family inet]
root@srx210#show
filter {
    input packet_filter;
    output packet_filter;
}




Leave your comment below

No comments:

Post a Comment