Packet Capture Overview
The packet capture tool captures IDP attack packets sent by SRX Series devices. It is installed as part of Security Director installation and runs on the Junos Space Network Management setup. You can use it to help you analyze network traffic and troubleshoot network problems.
Based on a preconfigured set of rules, SRX Series devices classify the packets as normal or an attack. When there is an attack, an SRX Series device sends the attack packets to the Junos Space Network Management Platform. You must configure the SRX Series device to send the attack packets to the Junos Space Network Management Platform.
Junos Space Network Management Platform runs a load balancer bound with a Virtual IP address. You must configure SRX Series devices with the Virtual IP address as the destination for forwarding captured packets. Junos Space Network Management Platform receives those packets and stores them. You can view the attack information and download packets that constitute the attack from the Security Director application.
The ports that are opened between the SRX Series devices and Security Director are:
Port 2050 (UDP) - Used to receive attack packets sent by SRX series devices.
Port 2051 (TCP) - Used by Security Director to fetch the attack packets stored in Junos Space Network Management Platform database.
For information on modifying the IPS configuration on SRX Series devices, see Modifying the IPS Configuration for Security Devices.
Packet capture is applicable only for IPS packets.
Network administrators and security engineers use packet capture to perform the following tasks:
Monitor network traffic and analyze traffic patterns.
Identify and troubleshoot network problems.
Detect security breaches in the network, such as unauthorized intrusions, spyware activity, or ping scans.
This tool captures the entire packet, including the Layer 2 header, and saves the contents to the Junos Space Network Management Platform Database in .pcap format. You can download attack packets captured by SRX Series devices and analyze these packets externally using tools such as Wireshark, tcpdump, tshark, and so on.
PCAPs can be suppressed by the log suppression mechanism, which is enabled by default. To disable log suppression, see suppression. To configure SRX IDP packet capture, see Configuring Security Packet Capture.