[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Packet Capture

Packet capture allows you to monitor and analyze offline IP version 4 (IPv4) packets flowing through a router. Packet capture monitors packet fragments also. Packet capture can be enabled on any interface and can analyze ingress traffic, egress traffic, or both.

Note: Packet capture is supported for the J-series Services Routers only. Packet capture is not supported on tunnel interfaces. You cannot configure packet capture and sampling at the same time.

To configure packet capture, include the packet-capture statement at the [edit forwarding-options] hierarchy level:



[edit forwarding-options]
packet-capture {
disable;


file {
filename file-name;
files number;
size number;
(world-readable | no-world-readable);
}


maximum-capture-size number;
}

To disable packet capture, include the disable statement. Packet capture is enabled by default.

You can capture packets into files. Files are classified based on the physical interface the packets are captured on (one file per physical interface). You can specify the file name, maximum size, and maximum number of files. When you capture a file named pcap-file, packet capture creates one file for each physical interface and appends the physical interface designator to the filename (for example, at). When the file named pcap-file.xx reaches its maximum size, the file is renamed pcap-file.xx.0. When pcap-file.xx reaches its maximum size again, the file is renamed pcap-file.xx.1. This process continues until the maximum number of files is exceeded. When that happens, the oldest file is overwritten. The file named pcap-file.xx is always the latest file. The packet capture file for an interface is created when the first packet is captured on that interface. Once created, this file is not removed even if packet capture is disabled on the interface. All packet capture files are stored in the /var/tmp/ directory.

If the PCAP file is deleted from var/tmp/, the file is not recreated upon the next packet capture traffic on the interface. You must first disable and then enable PCAP functionality again to recreate the PCAP file.

To enable capture into files, include the file statement. You can specify the target filename, maximum file size, and the maximum number of files. To specify the name of the target file, include the filename statement. To specify the maximum size of the file, include the size statement. To specify the maximum number of files, include the files statement.

To specify the maximum size of the packet for capture, include the maximum-capture-size statement.

You can capture packets on a specific interface by configuring either of the following:

Configure a firewall filter with the action sample and apply it to the interface.
Configure sampling on the interface in the ingress or egress traffic.

Note: Interface sampling does not capture host-originated packets. Configure firewall filters to capture host-originated packets.

Note: Firewall filter applied to a loopback interface (lo0) affects all packets going to and from the Routing Engine.

You can capture packets on a specific interface. For information about configuring interfaces, see the JUNOS Network Interfaces Configuration Guide.

You can capture only specific types of packets by using a firewall filter in conjunction with packet capture. To configure packet capture for specific packets using firewall filters, include the following statements at the [edit firewall] hierarchy level:



[edit firewall]
filter filter-name {


term term-name {


from {

match-conditions;
}




then {
sample;
accept;
}


}


}

Note: Configure packet capture with appropriate firewall filters to control the number of packets captured. Performance of the router may be impacted if packet capture is used without configuring any firewall filters.

Note: Packet capture does not support multilink encapsulations (such as MLPPP).

You must disable packet capture to modify encapsulation. To modify the encapsulation on a packet capture-enabled interface, perform the following tasks:

Disable packet capture by including the disable statement at the [edit forwarding-options packet-capture] hierarchy level.
Remove the packet capture file for the interface from the /var/tmp/ directory.
Change the encapsulation.
Enable packet capture.

For packets captured on T1, T3, E1, E3, SE, and ISDN interfaces in the egress direction, the size of packets captured can be one byte less than the configured value of maximum-capture-size because of the PLP byte.

To capture packets on an ISDN interface, configure packet capture on the dialer interface. To capture packets on the PPPoE interface, configure packet capture on the PPPoE interface.

Packet capture is not supported with MLPPP encapsulation. However, the CLI does not prevent you from enabling packet capture on an interface with MLPPP encapsulation. If packet capture is enabled in the input direction on an interface with MLPPP encapsulation, input packets on that interface are captured on the output interfaces.

By default, there is no tracing operation support for packet capture.

For more information about configuring specific interface types, see the JUNOS Network Interfaces Configuration Guide.

[Contents] [Prev] [Next] [Index] [Report an Error]