Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring End-to-End Debugging on SRX Series Device


This example shows how to configure and enable end-to-end debugging on an SRX Series device with an SRX5K-MPC.


This example uses the following hardware and software components:

  • SRX5600 device with an SRX5K-MPC installed with 100-Gigabit Ethernet CFP transceiver

  • Junos OS Release 12.1X47-D15 or later for SRX Series devices

Before you begin:

No special configuration beyond device initialization is required before configuring this feature.


Data path debugging enhances troubleshooting capabilities by providing tracing and debugging at multiple processing units along the packet-processing path. With the data path debugging feature, you can trace and debug (capture packets) at different data points along the processing path. At each event, you can specify an action (count, packet dump, packet summary, and trace) and you can set filters to define what packets to capture.

In this example, you define a traffic filter, and then you apply an action profile. The action profile specifies a variety of actions on the processing unit. The ingress and egress are specified as locations on the processing path to capture the data for incoming and outgoing traffic.

Next, you enable data path debugging in operational mode, and finally you view the data capture report.


Data path debugging is supported on SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800.


CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure data path debugging:

  1. Edit the security datapath debugging option for the multiple processing units along the packet-processing path:
  2. Enable the capture file, file format, file size, and the number of files.
  3. Configure action profile, event type, and actions for the action profile.


From configuration mode, confirm your configuration by entering the show security datapath-debug command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Enabling Data Path Debugging

Step-by-Step Procedure

After configuring data path debugging, you must start the process on the device from operational mode.

  1. Enable data path debugging.
  2. Before you verify the configuration and view the reports, you must disable data path debugging.

    You must stop the debug process after you have finished capturing the data. If you attempt to open the captured files without stopping the debug process, the files obtained cannot be opened through any third-party software (for example, tcpdump and wireshark).


Confirm that the configuration is working properly.

Verifying Data Path Debug Packet Capture Details


Verify the data captured by enabling the data path debugging configuration.


From operational mode, enter the show security datapath-debug capture command.

For brevity, the show command output is truncated to display only a few samples. Additional samples have been replaced with ellipses (...).

To view the results, from CLI operational mode, access the local UNIX shell and navigate to the directory /var/log/<file-name>. The result can be read by using the tcpdump utility.


If you are finished with troubleshooting the data path debugging, remove all traceoptions (not limited to flow traceoptions) and the complete data path debug configuration, including the data path debug configuration for packet capturing (packet-dump), which needs to be started/stopped manually. If any part of the debugging configuration remains active, it will continue to use the resources of the device (CPU/memory).