How to Configure Packet Capture of Unknown Application Traffic
Learn how to configure your device to capture packet details
for unknown application traffic and store that information in a packet
(.pcap). You can later
analyze the application traffic and get insight about the unknown
applications. You can also use this information to define a new custom
application signature to manage the application traffic.
Packet Capture of Unknown Application Traffic Overview
You can use the packet capture of unknown applications feature to gather more details about an unknown application on your security device. Unknown application traffic is the traffic that does not match an application signature.
Once you’ve configured packet capture options on your
security device, the unknown application traffic is gathered and stored
on the device in a packet capture file (
.pcap). You can use the packet capture of an unknown application to define
a new custom application signature. You can use this custom application
signature in a security policy to manage the application traffic more
You can send the
to Juniper Networks for analysis in cases where the traffic is incorrectly
classified, or to request creation of an application signature.
Benefits of Packet Capture of Unknown Application Traffic
You can use the packet capture of unknown application traffic to:
Gather more insight about an unknown application
Analyze unknown application traffic for potential threats
Assist in creation of security policy rules
Enable custom application signature creation
Implementing security policies that block all unknown application traffic could cause issues with network-based applications. Before applying these types of policies, be sure to validate that this approach does not cause issues in your environment. You must carefully analyze the unknown application traffic, and define the security policy accordingly.
Configure Packet Capture For Unknown Application Traffic
Before You Begin
To enable automatic packet capture of unknown application traffic, you must:
Install a valid application identification feature license on your SRX Series device. See Managing Junos OS Licenses.
Download and install the Junos OS application signature package. See Download and Install Junos OS Application Signature Package.
Ensure you have Junos OS Release 20.2R1 or later version on your security device.
In this example, you’ll learn how to configure automated packet capture of unknown applications on your security device by completing the following steps:
Set packet capture options at global level or at a security policy level.
Configure packet capture mode
(Optional) Configure packet capture file options
Access the generated packet capture file (.
To learn about packet capture configuration options, see packet-capture before you begin.
Packet Capture for Unknown Applications Globally
- To enable packet capture at a global level, use the following
command:user@host# set services application-identification packet-capture global
When you enable packet capture at the global level, your security device generates a packet capture for all sessions that contain unknown application traffic.
Packet Capture for Unknown Applications At a Security Policy Level
- Configure packet capture at a security policy level, use
the following procedure. In this example, you’ll enable packet
capture of unknown application traffic at the security policy P1.user@host# set security policies from-zone untrust to-zone trust policy P1 match source-address anyuser@host# set security policies from-zone untrust to-zone trust policy P1 match destination-address anyuser@host# set security policies from-zone untrust to-zone trust policy P1 match application anyuser@host# set security policies from-zone untrust to-zone trust policy P1 match dynamic-application junos:UNKNOWNuser@host# set security policies from-zone untrust to-zone trust policy P1 then permit application-services packet-capture
To enable packet capture of unknown application traffic at the security policy level, you must include junos:UNKNOWN as the dynamic-application match conditions.
When you configure the security policy (P1), the system captures the packet details for the application traffic that matches the security policy match criteria.
Selecting Packet Capture Mode
You can capture the packets for the unknown application traffic in either of the following modes:
ASC mode—Captures packets for unknown applications when the application is classified as junos:UNKNOWN and has a matching entry in the application system cache (ASC). This mode is enabled by default.
Aggressive mode—Captures all traffic before AppID has finished classification. In this mode, the system captures all application traffic regardless of an available ASC entry. Packet capture begins from the first packet of the first session. Note that aggressive mode is significantly more resource-intensive and should be used with caution.
To enable aggressive mode, use the following command:user@host# set services application-identification packet-capture aggressive-mode
We do not recommend using aggressive mode unless you need to capture the first occurrence of a flow. As noted above, the default behavior of the device relies on the ASC.
Define Packet Capture Options (Optional)
Optionally, you can set the following packet capture parameters. Otherwise, the default options described in packet-capture are used for this feature. In this example, you define packet capture options such as maximum packet limit, maximum byte limit, and number of packet capture (.pcap) files.
- Set the maximum number of UDP packets per session.user@host# set services application-identification packet-capture max-packets 10
- Set the maximum number of TCP bytes per session.user@host# set services application-identification packet-capture max-bytes 2048
- Set the maximum number of packet capture (.pcap) files
to be created before the oldest one is overwritten and rotated out. user@host# set services application-identification packet-capture max-files 30
From configuration mode, confirm your configuration by entering the show services application-identification packet-capture command and show security policies hierarchy level. If the output does not display the intended configuration, follow the configuration instructions in this example to correct it.
The following configuration shows an example of unknown application packet capture at the global level with optional configurations:
The following configuration shows an example of unknown application packet capture at a security policy level with optional configurations:
If you are done configuring the device, enter commit from configuration mode.
Accessing Packet Capture Files (.pcaps)
After you complete the configuration and commit it, you
can view the packet capture (
.pcap) file. The system generates a unique packet capture file for each
destination IP address, destination port, and protocol.
To view the packet capture file:
- Navigate to the directory where
.pcapfiles are stored on the device.user@host> start shell%% cd /var/log/pcap
- Locate the
.pcapfile is saved in destination-IP-address. destination-port.protocol. pcap format. Example:
user@host:/var/log/pcap # ls -lah total 1544 drwxr-xr-x 2 root wheel 3.0K Jul 27 15:04 . drwxrwxr-x 9 root wheel 3.0K Jul 24 16:23 .. -rw-r----- 1 root wheel 5.0K Jul 24 20:16 184.108.40.206_443_17.pcap -rw-r----- 1 root wheel 16K Jul 27 15:03 220.127.116.11_443_17.pcap -rw-r----- 1 root wheel 9.0K Jul 27 14:26 18.104.22.168_443_17.pcap -rw-r----- 1 root wheel 2.1K Jul 26 17:06 22.214.171.124_16385_17.pcap -rw-r----- 1 root wheel 11K Jul 24 16:20 126.96.36.199_443_17.pcap -rw-r----- 1 root wheel 16K Jul 27 14:21 188.8.131.52_443_17.pcap -rw-r----- 1 root wheel 31K Jul 27 14:25 184.108.40.206_443_17.pcap -rw-r----- 1 root wheel 17K Jul 24 19:21 220.127.116.11_3478_17.pcap
You can download the
.pcapfile by using SFTP or SCP and view it with Wireshark or your favorite network analyzer.
Figure 1 shows a sample
.pcapfile generated for the unknown application traffic.
In situations where packet loss is occurring, the device may not be able to capture all relevant details of the flow. In this case, the
.pcapfile will only reflect what the device was able to ingest and process.
The security device saves the packet capture details for all traffic that matches the three match criteria (destination IP address, destination port, and protocol) in the same file regardless of global or policy-level configuration. The system maintains the cache with the destination IP address, destination port, and the protocol and does not accept the repeated capturing of the same traffic which exceeds the defined limit. You can set the packet capture file options as in packet-capture.
Viewing Packet Capture Details
View the packet capture details to confirm that your configuration is working.
Use the show services application-identification packet-capture counters command.
user@host> show services application-identification packet-capture counters
pic: 0/0 Counter type Value Total sessions captured 47 Total packets captured 282 Active sessions being captured 1 Sessions ignored because of memory allocation failures 0 Packets ignored because of memory allocation failures 0 Ipc messages ignored because of storage limit 0 Sessions ignored because of buffer-packets limit 0 Packets ignored because of buffer-packets limit 0 Inconclusive sessions captured 4 Inconclusive sessions ignored 0 Cache entries timed out 0
From this sample output, you can get details such as the number of sessions being captured, and the number of sessions already captured. For more details about the packet capture counters, see show services application-identification packet-capture counters.
For more information on application identification, see Application Identification. For details about custom applications, see Custom Application Signatures for Application Identification