Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Packet Capture Overview
Packet capture is used by network administrators and security engineers for the following purposes:
- Monitor network traffic and analyze traffic patterns.
- Identify and troubleshoot network problems.
- Detect security breaches in the network, such as unauthorized intrusions, spyware activity, or ping scans.
Packet capture operates like traffic sampling on the device, except that it captures entire packets including the Layer 2 header rather than packet headers and saves the contents to a file in the libpcap format. Packet capture also captures IP fragments. You cannot enable packet capture and traffic sampling on the device at the same time. Unlike traffic sampling, there are no tracing operations for packet capture.
 | Note: You can enable packet capture and port mirroring simultaneously on a device. |
For more information about traffic sampling, see the Junos Policy Framework Configuration Guide.
This overview contains the following topics:
- Packet Capture on Device Interfaces
- Firewall Filters for Packet Capture
- Packet Capture Files
- Analysis of Packet Capture Files
Packet Capture on Device Interfaces
Packet capture is supported on the T1, T3, E1, E3, serial, Fast Ethernet, ADSL, G.SHDSL, PPPoE, and ISDN interfaces.
To capture packets on an ISDN interface, configure packet capture on the dialer interface. To capture packets on a PPPoE interface, configure packet capture on the PPPoE logical interface.
Packet capture supports PPP, Cisco HDLC, Frame Relay, and other ATM encapsulations. Packet capture also supports Multilink PPP (MLPPP), Multilink Frame Relay end-to-end (MLFR), and Multilink Frame Relay UNI/NNI (MFR) encapsulations.
You can capture all IPv4 packets flowing on an interface in the inbound or outbound direction. However, on traffic that bypasses the flow software module (protocol packets such as ARP, OSPF, and PIM), packets generated by the routing engine are not captured unless you have configured and applied a firewall filter on the interface in the output direction.
Tunnel interfaces can support packet capture in the outbound direction only.
Use the J-Web configuration editor or CLI configuration editor to specify maximum packet size, the filename to be used for storing the captured packets, maximum file size, maximum number of packet capture files, and the file permissions. See Configuring Packet Capture on an Interface (Required).
| Note: For packets captured on T1, T3, E1, E3, serial, and ISDN interfaces in the outbound (egress) direction, the size of the packet captured might be 1 byte less than the maximum packet size configured because of the packet loss priority (PLP) bit. |
To modify encapsulation on an interface that has packet capture configured, you must first disable packet capture. For more information, see Changing Encapsulation on Interfaces with Packet Capture Configured.
Firewall Filters for Packet Capture
When you enable packet capture on a device, all packets flowing in the direction specified in packet capture configuration (inbound, outbound, or both) are captured and stored. Configuring an interface to capture all packets might degrade the performance of the device. You can control the number of packets captured on an interface with firewall filters and specify various criteria to capture packets for specific traffic flows.
You must also configure and apply appropriate firewall filters on the interface if you need to capture packets generated by the host router, because interface sampling does not capture packets originating from the host router.
To configure firewall filters for packet capture, see Configuring a Firewall Filter for Packet Capture (Optional).
For more information about firewall filters, see the Junos OS Routing Protocols and Policies Configuration Guide for Security Devices.
Packet Capture Files
When packet capture is enabled on an interface, the entire packet including the Layer 2 header is captured and stored in a file. You can specify the maximum size of the packet to be captured, up to 1500 bytes. Packet capture creates one file for each physical interface. You can specify the target filename, maximum size of the file, and maximum number of files.
File creation and storage take place in the following way. Suppose you name the packet capture file pcap-file. Packet capture creates multiple files (one per physical interface), suffixing each file with the name of the physical interface—for example, pcap-file.fe–0.0.1 for the Fast Ethernet interface fe–0.0.1. When the file named pcap-file.fe-0.0.1 reaches the maximum size, the file is renamed pcap-file.fe-0.0.1.0. When the file named pcap-file.fe-0.0.1 reaches the maximum size again, the file named pcap-file.fe-0.0.1.0 is renamed pcap-file.fe-0.0.1.1 and pcap-file.fe-0.0.1 is renamed pcap-file.fe-0.0.1.0. This process continues until the maximum number of files is exceeded and the oldest file is overwritten. The pcap-file.fe-0.0.1 file is always the latest file.
Packet capture files are not removed even after you disable packet capture on an interface.
Analysis of Packet Capture Files
Packet capture files are stored in libpcap format in the /var/tmp directory. You can specify user or administrator privileges for the files.
Packet capture files can be opened and analyzed offline with tcpdump or any packet analyzer that recognizes the libpcap format. You can also use FTP or the Session Control Protocol (SCP) to transfer the packet capture files to an external device.
| Note: Disable packet capture before opening the file for analysis or transferring the file to an external device with FTP or SCP. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file. To disable packet capture on an interface, see Disabling Packet Capture. |
For more details about analyzing packet capture files, see Verifying Captured Packets.
