Configuring Packet Capture with a Configuration Editor

To configure packet capture on a device, you must perform the following tasks marked (Required):

Enabling Packet Capture (Required)

To enable packet capture on the device:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 174.
  3. Go on to Configuring Packet Capture on an Interface (Required).

Table 174: Enabling Packet Capture

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Forwarding options level in the configuration hierarchy.

  1. In the J-Web interface, select CLI Tools>Point and Click CLI.
  2. Next to Forwarding options, click Configure or Edit.
  3. Next to Scripts, click Configure or Edit.
  4. Next to Commits, click Configure or Edit.

In the configuration editor hierarchy, select Forwarding options.

From the [edit] hierarchy level, enter

edit forwarding-options

Specify in bytes the maximum size of each packet to capture in each file—for example, 500. The range is between 68 and 1500, and the default is 68 bytes.

  1. From the Sampling or packet capture list, select Packet capture.
  2. Next to Packet capture, click Configure.
  3. In the Maximum capture size box, type 500.

Enter

set packet-capture maximum-capture-size 500

Specify the target filename for the packet capture file—for example, pcap-file. For each physical interface, the interface name is automatically suffixed to the filename—for example, pcap-file.fe-0.0.1.

(See the interface naming conventions in the Junos OS Interfaces Configuration Guide for Security Devices.)

In the Filename box, type pcap-file.

Enter

set packet-capture file filename pcap-file

Specify the maximum number of files to capture—for example, 100. The range is between 2 and 10,000, and the default is 10 files.

In the Files box, type 100.

Enter

set packet-capture file files 100

Specify the maximum size of each file in bytes—for example, 1024. The range is between 1,024 and 104,857,600, and the default is 512,000 bytes.

In the Size box, type 1024.

Enter

set packet-capture file size 1024

Specify if all users have permission to read the packet capture files.

  1. Next to World readable, select Yes.
  2. Click OK.

Enter

set packet-capture file world-readable

Configuring Packet Capture on an Interface (Required)

To capture all transit and host-bound packets on an interface and specify the direction of the traffic to capture—inbound, outbound, or both:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 175.
  3. If you are finished configuring the device, commit the configuration.
  4. Go on to one of the following procedures:

Table 175: Configuring Packet Capture on an Interface

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Interfaces level in the configuration hierarchy, and select an interface for packet capture—for example, fe-0/0/1.

(See the interface naming conventions in the Junos OS Interfaces Configuration Guide for Security Devices.)

  1. In the J-Web interface, select CLI Tools>Point and Click CLI.
  2. Next to Interfaces, click Configure or Edit.
  3. In the Interface name box, click fe-0/0/1.

From the [edit] hierarchy level, enter

edit interfaces fe-0/0/1

Configure the direction of the traffic for which you are enabling packet capture on the logical interface—for example, inbound and outbound.

  1. In the Interface unit number box, click 0.
  2. Next to Inet, select Yes, and click Edit.
  3. Next to Sampling, click Configure.
  4. Next to Input, select Yes.
  5. Next to Output, select Yes.
  6. Click OK until you return to the Interface page.

Enter

set unit 0 family inet sampling input output

Note: On traffic that bypasses the flow software module (protocol packets such as ARP, OSPF, and PIM), packets generated by the routing engine are not captured unless you have configured and applied a firewall filter on the interface in the output direction.

Configuring a Firewall Filter for Packet Capture (Optional)

To configure a firewall filter and apply it to the logical interface:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 176.
  3. If you are finished configuring the device, commit the configuration.
  4. To check the configuration, see Verifying Packet Capture.

Table 176: Configuring a Firewall Filter for Packet Capture

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Firewall level in the configuration hierarchy.

  1. In the J-Web interface, select CLI Tools>Point and Click CLI.
  2. Next to Firewall, click Configure or Edit.

From the [edit] hierarchy level, enter

edit firewall

Define a firewall filter dest-all and a filter term—for example, dest-term—to capture packets with a particular destination address—for example, 192.168.1.1/32.

  1. Next to Filter, click Add new entry.
  2. In the filter name box, type dest-all.
  3. Next to Term, click Add new entry.
  4. In the Rule name box, type dest-term.
  5. Next to From, click Configure.
  6. Next to Destination address, click Add new entry.
  7. In the Address box, type 192.168.1.1/32.
  8. Click OK until you return to the Configuration page.

Set the filter and term name, and define the match condition and its action.

set firewall filter dest-all term dest-term from destination-address 192.168.1.1/32

set firewall filter dest-all term dest-term then sample accept

Navigate to the Interfaces level in the configuration hierarchy.

In the configuration editor hierarchy, select Interfaces.

Enter

set interfaces fe-0/0/1 unit 0 family inet filter output dest-all

Apply the dest-all filter to all the outgoing packets on the interface—for example, fe-0/0/1.0.

(See the interface naming conventions in the Junos OS Interfaces Configuration Guide for Security Devices.)

  1. In the Interface name box, click fe-0/0/1.
  2. In the Interface unit number box, click 0.
  3. Next to Inet, select Yes, and click Edit.
  4. Next to Filter, click Configure.
  5. In the Output box, type dest-all.
  6. Click OK until you return to the Interfaces page.

Note: If you apply a firewall filter on the loopback interface, it affects all traffic to and from the Routing Engine. If the firewall filter has a sample action, packets to and from the Routing Engine are sampled. If packet capture is enabled, then packets to and from the Routing Engine are captured in the files created for the input and output interfaces.

Disabling Packet Capture

You must disable packet capture before opening the packet capture file for analysis or transferring the file to an external device. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file.

To disable packet capture:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 177.
  3. If you are finished configuring the device, commit the configuration.

Table 177: Disabling Packet Capture

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Forwarding options level in the configuration hierarchy.

  1. In the J-Web interface, select CLI Tools>Point and Click CLI.
  2. Next to Forwarding options, click Configure or Edit.

From the [edit] hierarchy level, enter

edit forwarding-options

Disable packet capture.

  1. Next to Packet capture, click Edit.
  2. Next to Disable, select Yes.
  3. Click OK until you return to the Configuration page.

Enter set packet-capture disable.

Deleting Packet Capture Files

Deleting packet capture files from the /var/tmp directory only temporarily removes the packet capture files. Packet capture files for the interface are automatically created again the next time a packet capture configuration change is committed or as part of a packet capture file rotation. You must follow the procedure given in this section to delete packet capture files.

To delete a packet capture file:

  1. Disable packet capture following the steps in Disabling Packet Capture.
  2. Using the CLI, delete the packet capture file for the interface:
    1. From CLI operational mode, access the local UNIX shell:
      user@host> start shell%
    2. Navigate to the directory where packet capture files are stored:
      % cd /var/tmp%
    3. Delete the packet capture file for the interface—for example, pcap-file.fe.0.0.0:
      % rm pcap-file.fe.0.0.0%
    4. Return to the CLI operational mode:
      % exituser@host>
  3. Reenable packet capture following the steps in Enabling Packet Capture (Required).
  4. Commit the configuration.
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.