Example: Configuring End-to-End Debugging on SRX Series Device
This example shows how to configure and enable end-to-end debugging on an SRX Series device with an SRX5K-MPC.
This example uses the following hardware and software components:
SRX5600 device with an SRX5K-MPC installed with 100-Gigabit Ethernet CFP transceiver
Junos OS Release 12.1X47-D15 or later for SRX Series devices
Before you begin:
No special configuration beyond device initialization is required before configuring this feature.
Data path debugging enhances troubleshooting capabilities by providing tracing and debugging at multiple processing units along the packet-processing path. With the data path debugging feature, you can trace and debug (capture packets) at different data points along the processing path. At each event, you can specify an action (count, packet dump, packet summary, and trace) and you can set filters to define what packets to capture.
In this example, you define a traffic filter, and then you apply an action profile. The action profile specifies a variety of actions on the processing unit. The ingress and egress are specified as locations on the processing path to capture the data for incoming and outgoing traffic.
Next, you enable data path debugging in operational mode, and finally you view the data capture report.
Data path debugging is supported on SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .
To configure data path debugging:
- Edit the security datapath debugging option for the multiple
processing units along the packet-processing path:user@host# edit security datapath-debug
- Enable the capture file, file format, file size, and the
number of files. [edit security datapath-debug]user@host# set traceoptions file e2e.trace size 10muser@host# set capture-file e2e.pcap format pcap;user@host# set maximum-capture-size 1500user@host# set capture-file files 10
- Configure action profile, event type, and actions for
the action profile.[edit security datapath-debug]user@host# set action-profile profile-1 preserve-trace-orderuser@host# set action-profile profile-1 record-pic-historyuser@host# set action-profile profile-1 event np-ingress traceuser@host# set action-profile profile-1 event np-ingress countuser@host# set action-profile profile-1 event np-ingress packet-summaryuser@host# set action-profile profile-1 event np-egress traceuser@host# set action-profile profile-1 event np-egress countuser@host# set action-profile profile-1 event np-egress packet-summary
From configuration mode, confirm your configuration by entering the show security datapath-debug command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Enabling Data Path Debugging
After configuring data path debugging, you must start the process on the device from operational mode.
- Enable data path debugging.user@host> request security datapath-debug capture start
datapath-debug capture started on file datapcap
- Before you verify the configuration and view the reports,
you must disable data path debugging.user@host> request security datapath-debug capture stop
datapath-debug capture succesfully stopped, use show security datapath-debug capture to view
You must stop the debug process after you have finished capturing the data. If you attempt to open the captured files without stopping the debug process, the files obtained cannot be opened through any third-party software (for example, tcpdump and wireshark).
Confirm that the configuration is working properly.
Verifying Data Path Debug Packet Capture Details
Verify the data captured by enabling the data path debugging configuration.
From operational mode, enter the show security datapath-debug capture command.
Packet 8, len 152: (C2/F2/P0/SEQ:57935:np-ingress) 00 10 db ff 10 02 00 30 48 83 8d 4f 08 00 45 00 00 54 00 00 40 00 40 01 9f c7 c8 07 05 69 c8 08 05 69 08 00 91 1f 8f 03 2a a2 ae 66 85 53 8c 7d 02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 Packet 9, len 152: (C2/F2/P0/SEQ:57935:np-egress) 00 30 48 8d 1a bf 00 10 db ff 10 03 08 00 45 00 00 54 00 00 40 00 3f 01 a0 c7 c8 07 05 69 c8 08 05 69 08 00 91 1f 8f 03 2a a2 ae 66 85 53 8c 7d 02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37....
For brevity, the show command output is truncated to display only a few samples. Additional samples have been replaced with ellipses (...).
To view the results, from CLI operational mode, access the local
UNIX shell and navigate to the directory
/var/log/<file-name>. The result can be read by
using the tcpdump utility.
21:50:04.288767 C0/F3 event:1(np-ingress) SEQ:1 IP 192.168.14.2 > 192.168.13.2: ICMP echo request, id 57627, seq 0, length 64 21:50:04.292590 C0/F3 event:2(np-egress) SEQ:1 IP 192.168.14.2 > 192.168.13.2: ICMP echo request, id 57627, seq 0, length 64 1:50:04.295164 C0/F3 event:1(np-ingress) SEQ:2 IP 192.168.13.2 > 192.168.14.2: ICMP echo reply, id 57627, seq 0, length 64 21:50:04.295284 C0/F3 event:2(np-egress) SEQ:2 IP 192.168.13.2 > 192.168.14.2: ICMP echo reply, id 57627, seq 0, length 64
If you are finished with troubleshooting the data path debugging, remove all traceoptions (not limited to flow traceoptions) and the complete data path debug configuration, including the data path debug configuration for packet capturing (packet-dump), which needs to be started/stopped manually. If any part of the debugging configuration remains active, it will continue to use the resources of the device (CPU/memory).