Example: Configuring Packet Capture for Datapath Debugging
This example shows how to configure packet capture to monitor traffic that passes through the device. Packet capture then dumps the packets into a PCAP file format that can be later examined by the tcpdump utility.
Before you begin, see Debugging the Data Path (CLI Procedure).
A filter is defined to filter traffic; then an action profile is applied to the filtered traffic. The action profile specifies a variety of actions on the processing unit. One of the supported actions is packet dump, which sends the packet to the Routing Engine and stores it in proprietary form to be read using the show security datapath-debug capture command.
Data path debugging is supported on SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Modein the Junos OS CLI User Guide.
To configure packet capture:
- Edit the security datapath-debug option for the multiple
processing units along the packet-processing path:user@host# edit security datapath-debug
- Enable the capture file, the file format, the file size,
and the number of files. Size number limits the size of the capture
file. After the limit size is reached, if the file number is specified,
then the capture file will be rotated to filename x, where x is auto-incremented until it reaches
the specified index and then returns to zero. If no files index is
specified, the packets will be discarded after the size limit is reached.
The default size is 512 kilobytes.[edit security datapath-debug]user@host# set capture-file my-capture format pcap size 1m files 5[edit security datapath-debug]user@host# set maximum-capture-size 400
- Enable action profile and set the event. Set the action
profile as do-capture and the event type as np-ingress: [edit security datapath-debug]user@host# edit action-profile do-capture[edit security datapath-debug action-profile do-capture]user@host# edit event np-ingress
- Enable packet dump for the action profile:[edit security datapath-debug action-profile do-capture event np-ingress]user@host# set packet-dump
- Enable packet filter, action, and filter options. The
packet filter is set to my-filter, the action profile is set to do-capture,
and filter option is set to source-prefix 126.96.36.199/32.[edit security datapath-debug]user@host# set security datapath-debug packet-filter my-filter action-profile do-capture[edit security datapath-debug]user@host# set security datapath-debug packet-filter my-filter source-prefix 188.8.131.52/32
From configuration mode, confirm your configuration by entering the show security datapath-debug command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. The following isshow security datapath-debug output from the show security datapath-debug command:
If you are done configuring the device, enter commit from configuration mode.
Confirm that the configuration is working properly.
Verifying Packet Capture
Verify if the packet capture is working.
From operational mode, enter the request security datapath-debug capture start command to start packet capture and enter the request security datapath-debug capture stop command to stop packet capture.
To view the results, from CLI operational mode, access the local UNIX shell and navigate to the directory /var/log/my-capture. The result can be read by using the tcpdump utility.
Verifying Data Path Debugging Capture
Verify the details of data path debugging capture file.
From operational mode, enter the show security datapath-debug capture command.
user@host>show security datapath-debug capture
When you are done troubleshooting, make sure to remove or deactivate all the traceoptions configurations (not limited to flow traceoptions) and the complete security datapath-debug configuration stanza. If any debugging configurations remain active, they will continue to use the device's CPU and memory resources.
Verifying Data Path Debugging Counter
Verify the details of the data path debugging counter.
From operational mode, enter the show security datapath-debug counter command.