Example: Configuring Security Packet Capture (CLI)

The following example configures a packet capture for rule 1 of policy pol0. The rule specifies that, if an attack occurs, 10 packets before the attack and 3 packets after the attack will be captured, and that the post-attack capture should time out after 60 seconds. The sensor configuration is modified to allocate 5% of available memory and 15% of the IDP sessions to packet capture. When the packet capture object is prepared, it is transmitted from device 10.56.97.3 to port 5 on device 10.24.45.7.

1. Navigate to the notification level for rule 1, policy pol0 in the configuration hierarchy.
   [edit]user@host# set security idp idp-policy pol0 rulebase-ips rule 1 then notification
2. Define the size and timing constraints for each packet capture:
   [edit security idp idp-policy pol0 rulebase-ips rule 1 then notification]user@host# set packet-log pre-attack 10 post-attack 3 post-attack-timeout 60
3. Navigate to the security idp sensor-configuration level of the configuration hierarchy:
   [edit security idp idp-policy pol0 rulebase-ips rule 1 then notification]user@host# top[edit]user@host# set security idp sensor-configuration
4. Allocate the device resources to be used for packet capture (5% of available device memory and 15% of the IDP sessions):
   [edit security idp sensor-configuration]user@host# set packet-log total-memory 5 max-sessions 15
5. Identify the source and host devices for transmitting the packet-capture object:
   [edit security idp sensor-configuration]user@host# set packet-log source-address 10.56.97.3 host 10.24.45.7 port 5
6. Navigate to the top of the hierarchy, and commit the configuration.
   [edit security idp sensor-configuration]user@host# top[edit]user@host# commit

For additional command options and default values, see the Junos OS CLI Reference.

For information about monitoring events and managing system log files, see the Junos OS Administration Guide for Security Devices.