Example: Configuring End-to-End Debugging on a High-End SRX Series Device

Requirements

This example uses the following hardware and software components:

Before you begin:

No special configuration beyond device initialization is required before configuring this feature.

Overview

Data path debugging enhances troubleshooting capabilities by providing tracing and debugging at multiple processing units along the packet-processing path. With the data path debugging feature, you can trace and debug (capture packets) at different data points along the processing path. At each event, you can specify an action (count, packet dump, packet summary, and trace) and you can set filters to define what packets to capture.

In this example, you define a traffic filter, then you apply an action profile. The action profile specifies a variety of actions on the processing unit. The NP ingresss and NP egress are specified as location on the processing path to capture the data for incoming and outgoing traffic.

Next, you enable data path debugging in operational mode, and finally you view the data capture report.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set security datapath-debug traceoptions file e2e.trace size 10mset security datapath-debug capture-file datapcap format pcapset security datapath-debug maximum-capture-size 1500set security datapath-debug action-profile profile-1 preserve-trace-orderset security datapath-debug action-profile profile-1 record-pic-historyset security datapath-debug action-profile profile-1 event np-ingress traceset security datapath-debug action-profile profile-1 event np-ingress countset security datapath-debug action-profile profile-1 event np-ingress packet-summaryset security datapath-debug action-profile profile-1 event np-ingress packet-countset security datapath-debug action-profile profile-1 event np-egress traceset security datapath-debug action-profile profile-1 event np-egress countset security datapath-debug action-profile profile-1 event np-egress packet-summaryset security datapath-debug action-profile profile-1 event np-egress packet-countset security datapath-debug packet-filter filter-1set security datapath-debug packet-filter filter-1 action-profile profile-1set security datapath-debug packet-filter filter-1 protocol tcpset security datapath-debug packet-filter filter-1 source-prefix 200.7.6.0/24set security datapath-debug packet-filter filter-1 destination-prefix 200.8.6.0/24set security datapath-debug packet-filter filter-1 source-port 1000set security datapath-debug packet-filter filter-1 destination-port 80set security datapath-debug packet-filter filter-1 interface xe-2/2/0.0

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure data path debugging:

  1. Edit the security datapath-debug option for the multiple processing units along the packet-processing path:
    [edit]user@host# edit security datapath-debug
  2. Enable the capture file, file format, file size, and the number of files.
    [edit security datapath-debug]user@host# set traceoptions file e2e.trace size 10muser@host# set capture-file datapcap format pcap;user@host# set maximum-capture-size 1500
  3. Configure action profile, event type, and actions for the action profile.
    [edit security datapath-debug]user@host# set action-profile profile-1 preserve-trace-orderuser@host# set action-profile profile-1 record-pic-historyuser@host# set action-profile profile-1 event np-ingress traceuser@host# set action-profile profile-1 event np-ingress countuser@host# set action-profile profile-1 event np-ingress packet-summaryuser@host# set action-profile profile-1 event np-ingress packet-countuser@host# set action-profile profile-1 event np-egress traceuser@host# set action-profile profile-1 event np-egress countuser@host# set action-profile profile-1 event np-egress packet-summaryuser@host# set action-profile profile-1 event np-egress packet-count
  4. Configure packet filter, action, and filter options.
    [edit security datapath-debug]user@host# set packet-filter filter-1user@host# set packet-filter filter-1 action-profile profile-1user@host# set packet-filter filter-1 protocol tcpuser@host# set packet-filter filter-1 source-prefix 200.7.6.0/24user@host# set packet-filter filter-1 destination-prefix 200.8.6.0/24user@host# set packet-filter filter-1 source-port 1000user@host# set packet-filter filter-1 destination-port 80user@host# set packet-filter filter-1 interface xe-2/2/0.0

Results

From configuration mode, confirm your configuration by entering the show security datapath-debug command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

traceoptions {file e2e.trace size 10m;}
capture-file datapcap format pcap;
maximum-capture-size 1500;
action-profile {profile-1 {preserve-trace-order;record-pic-history;event np-ingress {trace;count;packet-summary;packet-dump;}event np-egress {trace;count;packet-summary;packet-dump;}}}
packet-filter filter-1 {action-profile profile-1;protocol tcp;source-prefix 200.7.6.0/24;destination-prefix 200.8.6.0/24;source-port 1000;destination-port 80;interface xe-2/2/0.0;}

If you are done configuring the device, enter commit from configuration mode.

Enabling Data Path Debugging

Step-by-Step Procedure

After configuring data path debugging, you must start the process on the device from operational mode.

  1. Enable data path debugging.
    user@host> request security datapath-debug capture start
    datapath-debug capture started on file datapcap
    
  2. Once you are done, you must disable data path debugging before you verify the configuration and view the reports.
    user@host> request security datapath-debug capture stop
    datapath-debug capture succesfully stopped, use show security datapath-debug capture to view
    

Verification

Confirm that the configuration is working properly.

Verifying Data Path Debug Packet Capture Details

Purpose

Verify the data captured by enabling the data path debugging configuration.

Action

From operational mode, enter the show security datapath-debug capture command.

Packet 8, len 152: (C2/F2/P0/SEQ:57935:np-ingress)
00 10 db ff 10 02 00 30 48 83 8d 4f 08 00 45 00
00 54 00 00 40 00 40 01 9f c7 c8 07 05 69 c8 08
05 69 08 00 91 1f 8f 03 2a a2 ae 66 85 53 8c 7d
02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
36 37
Packet 9, len 152: (C2/F2/P0/SEQ:57935:np-egress)
00 30 48 8d 1a bf 00 10 db ff 10 03 08 00 45 00
00 54 00 00 40 00 3f 01 a0 c7 c8 07 05 69 c8 08
05 69 08 00 91 1f 8f 03 2a a2 ae 66 85 53 8c 7d
02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
36 37....

For brevity, the show command output is truncated to display only a few samples. Additional samples have been replaced with ellipses (...).

To view the results, from CLI operational mode, access the local UNIX shell and navigate to the directory /var/log/<file-name>. The result can be read by using the tcpdump utility.