[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
Verifying Packet Capture
To verify packet capture, perform these tasks:
Displaying a Packet
Capture Configuration
Purpose
Verify the packet capture configuration.
Action
From the J-Web interface, select Configuration>View and Edit>View Configuration Text.
Alternatively, from configuration mode in the CLI, enter the show forwarding-options command.
[edit]
user@host# show forwarding-options
packet-capture {
file filename pcap-file files 100 size 1024;
maximum-capture-size 500;
}
What it Means
Verify that the output shows the intended file configuration for capturing
packets. For more information about the format of a configuration file, see
the information about viewing configuration text in the J-series Services Router Basic LAN and WAN Access Configuration Guide.
Displaying a Firewall Filter for Packet Capture Configuration
Purpose
Verify the firewall filter for packet capture configuration.
Action
From the J-Web interface, select Configuration>View and Edit>View Configuration Text.
Alternatively, from configuration mode in the CLI, enter the show firewall
filter dest-all command.
[edit]
user@host# show firewall filter dest-all
term dest-term {
from {
destination-address 192.168.1.1/32;
}
then {
sample;
accept;
}
}
What it Means
Verify that the output shows the intended configuration of the firewall
filter for capturing packets sent to the destination address 192.168.1.1/32.
For more information about the format of a configuration file, see the information
about viewing configuration text in the J-series Services Router Basic LAN and WAN Access Configuration Guide.
Verifying Captured
Packets
Purpose
Verify that the packet capture file is stored under the /var/tmp directory
and the packets can be analyzed offline.
Action
Take the following actions:
- Disable packet capture. See Disabling Packet Capture.
- Perform these steps to transfer a packet capture file (for example, 126b.fe-0.0.1),
to a server where you have installed packet analyzer tools (for example, tools-server),
using FTP.
- From the CLI configuration mode, connect to tools-server using
FTP:
- user@host# run ftp tools-server
- Connected to tools-server.mydomain.net
- 220 tools-server.mydomain.net FTP server (Version 6.00LS) ready
- Name (tools-server:user):remoteuser
- 331 Password required for remoteuser.
- Password:
- 230 User remoteuser logged in.
- Remote system type is UNIX.
- Using binary mode to transfer files.
- ftp>
- Navigate to the directory where packet capture
files are stored on the router:
- ftp> lcd /var/tmp
- Local directory now /cf/var/tmp
- Copy the packet capture file that you want to
analyze—for example, 126b.fe-0.0.1, to the server:
- ftp> put 126b.fe-0.0.1
- local: 126b.fe-0.0.1 remote: 126b.fe-0.0.1
- 200 PORT command successful.
- 150 Opening BINARY mode data connection for '126b.fe-0.0.1'.
- 100% 1476 00:00 ETA
- 226 Transfer complete.
- 1476 bytes sent in 0.01 seconds (142.42 KB/s)
- Return to the CLI configuration mode:
- ftp> bye
- 221 Goodbye.
- [edit]
- user@host#
- Open the packet capture file on the server with tcpdump or any
packet analyzer that supports libpcap format.
| |
root@server% tcpdump -r 126b.fe-0.0.1 -xevvvv
01:12:36.279769 Out 0:5:85:c4:e3:d1 > 0:5:85:c8:f6:d1, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 33133, offset 0, flags [none], proto: ICMP (1), length: 84) 14.1.1.1 > 15.1.1.1: ICMP echo request seq 0, length 64
0005 85c8 f6d1 0005 85c4 e3d1 0800 4500
0054 816d 0000 4001 da38 0e01 0101 0f01
0101 0800 3c5a 981e 0000 8b5d 4543 51e6
0100 aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
01:12:36.279793 Out 0:5:85:c8:f6:d1 > 0:5:85:c4:e3:d1, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 41227, offset 0, flags [none], proto: ICMP (1), length: 84) 15.1.1.1 > 14.1.1.1: ICMP echo reply seq 0, length 64
0005 85c4 e3d1 0005 85c8 f6d1 0800 4500
0054 a10b 0000 3f01 bb9a 0f01 0101 0e01
0101 0000 445a 981e 0000 8b5d 4543 51e6
0100 aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
root@server%
|
What it Means
Verify that the output shows the intended packets.
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]