Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Example: Configuring End-to-End Debugging on a High-End SRX Series Device
Requirements
This example uses the following hardware and software components:
- SRX5600 device with an SRX5K-MPC installed with 100-Gigabit Ethernet CFP installed
- Junos OS Release 12.1X47-D15 or later for SRX Series devices
Before you begin:
- See Understanding Data Path Debugging for SRX Series Devices.
No special configuration beyond device initialization is required before configuring this feature.
Overview
Data path debugging enhances troubleshooting capabilities by providing tracing and debugging at multiple processing units along the packet-processing path. With the data path debugging feature, you can trace and debug (capture packets) at different data points along the processing path. At each event, you can specify an action (count, packet dump, packet summary, and trace) and you can set filters to define what packets to capture.
In this example, you define a traffic filter, then you apply an action profile. The action profile specifies a variety of actions on the processing unit. The NP ingresss and NP egress are specified as location on the processing path to capture the data for incoming and outgoing traffic.
Next, you enable data path debugging in operational mode, and finally you view the data capture report.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure data path debugging:
- Edit the security datapath-debug option for the multiple
processing units along the packet-processing path:[edit]user@host# edit security datapath-debug
- Enable the capture file, file format, file size, and the
number of files.[edit security datapath-debug]user@host# set traceoptions file e2e.trace size 10muser@host# set capture-file datapcap format pcap;user@host# set maximum-capture-size 1500
- Configure action profile, event type, and actions for
the action profile.[edit security datapath-debug]user@host# set action-profile profile-1 preserve-trace-orderuser@host# set action-profile profile-1 record-pic-historyuser@host# set action-profile profile-1 event np-ingress traceuser@host# set action-profile profile-1 event np-ingress countuser@host# set action-profile profile-1 event np-ingress packet-summaryuser@host# set action-profile profile-1 event np-ingress packet-countuser@host# set action-profile profile-1 event np-egress traceuser@host# set action-profile profile-1 event np-egress countuser@host# set action-profile profile-1 event np-egress packet-summaryuser@host# set action-profile profile-1 event np-egress packet-count
- Configure packet filter, action, and filter options. [edit security datapath-debug]user@host# set packet-filter filter-1user@host# set packet-filter filter-1 action-profile profile-1user@host# set packet-filter filter-1 protocol tcpuser@host# set packet-filter filter-1 source-prefix 200.7.6.0/24user@host# set packet-filter filter-1 destination-prefix 200.8.6.0/24user@host# set packet-filter filter-1 source-port 1000user@host# set packet-filter filter-1 destination-port 80user@host# set packet-filter filter-1 interface xe-2/2/0.0
Results
From configuration mode, confirm your configuration by entering the show security datapath-debug command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Enabling Data Path Debugging
Step-by-Step Procedure
After configuring data path debugging, you must start the process on the device from operational mode.
- Enable data path debugging.user@host> request security datapath-debug capture start
datapath-debug capture started on file datapcap
- Once you are done, you must disable data path debugging
before you verify the configuration and view the reports.user@host> request security datapath-debug capture stop
datapath-debug capture succesfully stopped, use show security datapath-debug capture to view
Verification
Confirm that the configuration is working properly.
Verifying Data Path Debug Packet Capture Details
Purpose
Verify the data captured by enabling the data path debugging configuration.
Action
From operational mode, enter the show security datapath-debug capture command.
Packet 8, len 152: (C2/F2/P0/SEQ:57935:np-ingress) 00 10 db ff 10 02 00 30 48 83 8d 4f 08 00 45 00 00 54 00 00 40 00 40 01 9f c7 c8 07 05 69 c8 08 05 69 08 00 91 1f 8f 03 2a a2 ae 66 85 53 8c 7d 02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 Packet 9, len 152: (C2/F2/P0/SEQ:57935:np-egress) 00 30 48 8d 1a bf 00 10 db ff 10 03 08 00 45 00 00 54 00 00 40 00 3f 01 a0 c7 c8 07 05 69 c8 08 05 69 08 00 91 1f 8f 03 2a a2 ae 66 85 53 8c 7d 02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37....
For brevity, the show command output is truncated to display only a few samples. Additional samples have been replaced with ellipses (...).
To view the results, from CLI operational mode, access the local
UNIX shell and navigate to the directory /var/log/<file-name>. The result can be read by
using the tcpdump utility.
