Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

How to Configure Packet Capture of Unknown Application Traffic

 
Summary

Learn how to configure your device to capture packet details for unknown application traffic and store that information in a packet capture file (.pcap). You can later analyze the application traffic and get insight about the unknown applications. You can also use this information to define a new custom application signature to manage the application traffic.

Packet Capture of Unknown Application Traffic Overview

You can use the packet capture of unknown applications feature to gather more details about an unknown application on your security device. Unknown application traffic is the traffic that does not match an application signature.

Once you’ve configured packet capture options on your security device, the unknown application traffic is gathered and stored on the device in a packet capture file (.pcap). You can use the packet capture of an unknown application to define a new custom application signature. You can use this custom application signature in a security policy to manage the application traffic more efficiently.

You can send the .pcap file to Juniper Networks for analysis in cases where the traffic is incorrectly classified, or to request creation of an application signature.

Benefits of Packet Capture of Unknown Application Traffic

You can use the packet capture of unknown application traffic to:

  • Gather more insight about an unknown application

  • Analyze unknown application traffic for potential threats

  • Assist in creation of security policy rules

  • Enable custom application signature creation

Note

Implementing security policies that block all unknown application traffic could cause issues with network-based applications. Before applying these types of policies, be sure to validate that this approach does not cause issues in your environment. You must carefully analyze the unknown application traffic, and define the security policy accordingly.

Configure Packet Capture For Unknown Application Traffic

Before You Begin

To enable automatic packet capture of unknown application traffic, you must:

Overview

In this example, you’ll learn how to configure automated packet capture of unknown applications on your security device by completing the following steps:

  • Set packet capture options at global level or at a security policy level.

  • Configure packet capture mode

  • (Optional) Configure packet capture file options

  • Access the generated packet capture file (.pcap file)

Configuration

To learn about packet capture configuration options, see packet-capture before you begin.

Packet Capture for Unknown Applications Globally

Step-by-Step Procedure

  • To enable packet capture at a global level, use the following command:

When you enable packet capture at the global level, your security device generates a packet capture for all sessions that contain unknown application traffic.

Packet Capture for Unknown Applications At a Security Policy Level

Step-by-Step Procedure

  • Configure packet capture at a security policy level, use the following procedure. In this example, you’ll enable packet capture of unknown application traffic at the security policy P1.

    To enable packet capture of unknown application traffic at the security policy level, you must include junos:UNKNOWN as the dynamic-application match conditions.

    When you configure the security policy (P1), the system captures the packet details for the application traffic that matches the security policy match criteria.

Selecting Packet Capture Mode

You can capture the packets for the unknown application traffic in either of the following modes:

  • ASC mode—Captures packets for unknown applications when the application is classified as junos:UNKNOWN and has a matching entry in the application system cache (ASC). This mode is enabled by default.

  • Aggressive mode—Captures all traffic before AppID has finished classification. In this mode, the system captures all application traffic regardless of an available ASC entry. Packet capture begins from the first packet of the first session. Note that aggressive mode is significantly more resource-intensive and should be used with caution.

    To enable aggressive mode, use the following command:

    We do not recommend using aggressive mode unless you need to capture the first occurrence of a flow. As noted above, the default behavior of the device relies on the ASC.

Define Packet Capture Options (Optional)

Step-by-Step Procedure

Optionally, you can set the following packet capture parameters. Otherwise, the default options described in packet-capture are used for this feature. In this example, you define packet capture options such as maximum packet limit, maximum byte limit, and number of packet capture (.pcap) files.

  1. Set the maximum number of UDP packets per session.

  2. Set the maximum number of TCP bytes per session.
  3. Set the maximum number of packet capture (.pcap) files to be created before the oldest one is overwritten and rotated out.

Results

From configuration mode, confirm your configuration by entering the show services application-identification packet-capture command and show security policies hierarchy level. If the output does not display the intended configuration, follow the configuration instructions in this example to correct it.

The following configuration shows an example of unknown application packet capture at the global level with optional configurations:

The following configuration shows an example of unknown application packet capture at a security policy level with optional configurations:

If you are done configuring the device, enter commit from configuration mode.

Accessing Packet Capture Files (.pcaps)

After you complete the configuration and commit it, you can view the packet capture (.pcap) file. The system generates a unique packet capture file for each destination IP address, destination port, and protocol.

Step-by-Step Procedure

To view the packet capture file:

  1. Navigate to the directory where .pcap files are stored on the device.
  2. Locate the .pcap file.

    The .pcap file is saved in destination-IP-address. destination-port.protocol. pcap format. Example: 142.250.31.156_443_17.pcap.

    You can download the .pcap file by using SFTP or SCP and view it with Wireshark or your favorite network analyzer.

    Figure 1 shows a sample .pcap file generated for the unknown application traffic.

    Figure 1: Sample Packet Capture File
     Sample Packet Capture
File
    Note

    In situations where packet loss is occurring, the device may not be able to capture all relevant details of the flow. In this case, the .pcap file will only reflect what the device was able to ingest and process.

The security device saves the packet capture details for all traffic that matches the three match criteria (destination IP address, destination port, and protocol) in the same file regardless of global or policy-level configuration. The system maintains the cache with the destination IP address, destination port, and the protocol and does not accept the repeated capturing of the same traffic which exceeds the defined limit. You can set the packet capture file options as in packet-capture.

Verification

Viewing Packet Capture Details

Purpose

View the packet capture details to confirm that your configuration is working.

Action

Use the show services application-identification packet-capture counters command.

user@host> show services application-identification packet-capture counters

Meaning

From this sample output, you can get details such as the number of sessions being captured, and the number of sessions already captured. For more details about the packet capture counters, see show services application-identification packet-capture counters.

WHAT'S NEXT

For more information on application identification, see Application Identification. For details about custom applications, see Custom Application Signatures for Application Identification