Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

packet-capture

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 20.2R1.

Description

Specify packet capture options to capture unknown application traffic.

You can use the packet capture of unknown applications functionality to gather more details about an unknown application on your security device. Once you’ve configured packet capture options on your security device, the unknown application traffic is gathered and stored on the device in a packet capture file (.pcap) at /var/log/pcap/ location.

Options

aggressive-modeCapture all traffic before AppID classifies the applications. In this mode, the system captures all application traffic irrespective of the application system cache (ASC) entry. Packet capture starts for the first packet of the first session.
buffer-packets-limitMaximum memory to buffer packets (bytes). Use this option to limit the memory available in the Packet Forwarding Engine for packet capture functionality.

Default: 1% of available data in shared memory

Range: 0% through 5% of available data in shared memory

Default: 1 MB (for cSRX)

Range: 0 through 5 MB

capture-intervalTimeout value in minutes to avoid repetitive capture of the same traffic. After this interval, the system continues to capture newer packet details for unknown applications until the capture limit is reached.

Default: 1440 minutes (24 hours).

Range: 1 through 525,600 seconds

capture-limitNumber of repetitive captures of the same traffic. Use this option to limit the number of times the same traffic can be repeatedly captured before the cache entry times out.

Default: 4

Range: 1 through 1000

globalEnable packet capture globally to capture all unknown application traffic. Another option is to enable capturing of unknown application traffic specific to a security policy.
max-bytesMaximum number of TCP bytes per session (bytes). For TCP sessions, the count includes the actual payload data length and excludes IP/TCP headers for the maximum bytes limit.

If you are setting the packet capture at the security policy level, the packet capture concludes only after the final policy is applied even if the configured limit is reached.

Limitation—Jumbo frames can have up to 1500 bytes of the payload saved in the capture file.

Default: 6000 bytes

Range: 40 through 1,073,741,824

max-filesMaximum number of unique packet capture files to create before the oldest file is overwritten by a new file created.

Default: 25

Range: 1 through 2500

max-packetsMaximum number of UDP packets per session.

Default: 10 packets

Range: 1 through 1000

no-inconclusiveDisable packet capturing of inconclusive traffic. This option disables the packet capture for the following sessions:
  • Sessions that are closed before the application identification or classification completes.

  • Sessions that are not getting classified even whn they reach the maximum packet capture limit.

If you do not configure this option, by default, the system captures packets for inconclusive sessions.

storage-limitMaximum disk space (bytes) that can be used in the Routing Engine for packet capture files.

Default: 50 MB

Range: 1,048,576 through 4,294,967,295 bytes

Required Privilege Level

system