Packet Capture

Capturing and Viewing Packets with the J-Web Interface

You can use the J-Web packet capture diagnostic tool when you need to quickly capture and analyze router control traffic on a device. Packet capture on the J-Web interface allows you to capture traffic destined for or originating from the Routing Engine. You can use J-Web packet capture to compose expressions with various matching criteria to specify the packets that you want to capture. You can either choose to decode and view the captured packets in the J-Web interface as they are captured, or save the captured packets to a file and analyze them offline using packet analyzers such as Ethereal. J-Web packet capture does not capture transient traffic.

Alternatively you can use the CLI monitor traffic command to capture and display packets matching a specific criteria. For details, see the JUNOS Enhanced Services Administration Guide.

To capture transient traffic and entire IPv4 data packets for offline analysis, you must configure packet capture with the J-Web or CLI configuration editor. For details, see the JUNOS Enhanced Services Administration Guide.

This section contains the following topics:

Using J-Web Packet Capture

To use J-Web packet capture:

  1. Select Troubleshoot>Packet Capture.
  2. Enter information into the Packet Capture page as described in Table 211.

    The sample configuration in Table 211 captures the next 10 TCP packets originating from the IP address 10.1.40.48 on port 23 and passing through the Gigabit Ethernet interface ge-0/0/0.

  3. To save the captured packets to a file, or specify other advanced options, click the expand icon next to Advanced options, and enter information as described in Table 211.
  4. Click Start.

    The captured packet headers are decoded and displayed in the Packet Capture display.

    Table 212 summarizes the output fields of the display.

  5. Do one of the following:
    • To stop capturing the packets and stay on the same page while the decoded packet headers are being displayed, click Stop Capturing.
    • To stop capturing packets and return to the Packet Capture page, click OK.

Table 211: Packet Capture Field Summary

Field

Function

Your Action

Interface

Specifies the interface on which the packets are captured.

If you select default, packets on the Ethernet management port 0, are captured.

From the list, select an interface—for example, ge-0/0/0.

Detail level

Specifies the extent of details to be displayed for the packet headers.

  • Brief—Displays the minimum packet header information. This is the default.
  • Detail—Displays packet header information in moderate detail.
  • Extensive—Displays the maximum packet header information.

From the list, select Detail.

Packets

Specifies the number of packets to be captured. Values range from 1 to 1000. Default is 10. Packet capture stops capturing packets after this number is reached.

From the list, select the number of packets to be captured—for example, 10.

Addresses

Specifies the addresses to be matched for capturing the packets using a combination of the following parameters:

  • Direction—Matches the packet headers for IP address, hostname, or network address of the source, destination or both.
  • Type—Specifies if packet headers are matched for host address or network address.

You can add multiple entries to refine the match criteria for addresses.

Select address-matching criteria. For example:

  1. From the Direction list, select source.
  2. From the Type list, select host.
  3. In the Address box, type 10.1.40.48.
  4. Click Add.

Protocols

Matches the protocol for which packets are captured. You can choose to capture TCP, UDP, or ICMP packets or a combination of TCP, UDP, and ICMP packets.

From the list, select a protocol—for example, tcp.

Ports

Matches packet headers containing the specified source or destination TCP or UDP port number or port name.

Select a direction and a port. For example:

  1. From the Type list, select src.
  2. In the Port box, type 23.
Advanced Options

Absolute TCP Sequence

Specifies that absolute TCP sequence numbers are to be displayed for the packet headers.

  • To display absolute TCP sequence numbers in the packet headers, select this check box.
  • To stop displaying absolute TCP sequence numbers in the packet headers, clear this check box.

Layer 2 Headers

Specifies that link-layer packet headers are to be displayed.

  • To include link-layer packet headers while capturing packets, select this check box.
  • To exclude link-layer packet headers while capturing packets, clear this check box.

Non-Promiscuous

Specifies not to place the interface in promiscuous mode, so that the interface reads only packets addressed to it.

In promiscuous mode, the interface reads every packet that reaches it.

  • To read all packets that reach the interface, select this check box.
  • To read only packets addressed to the interface, clear this check box.

Display Hex

Specifies that packet headers, except link-layer headers, are to be displayed in hexadecimal format.

  • To display the packet headers in hexadecimal format, select this check box.
  • To stop displaying the packet headers in hexadecimal format, clear this check box.

Display ASCII and Hex

Specifies that packet headers are to be displayed in hexadecimal and ASCII format.

  • To display the packet headers in ASCII and hexadecimal formats, select this check box.
  • To stop displaying the packet headers in ASCII and hexadecimal formats, clear this check box.

Header Expression

Specifies the match condition for the packets to be captured.

The match conditions you specify for Addresses, Protocols, and Ports are displayed in expression format in this field.

You can enter match conditions directly in this field in expression format or modify the expression composed from the match conditions you specified for Addresses, Protocols, and Ports. If you change the match conditions specified for Addresses, Protocols, and Ports again, packet capture overwrites your changes with the new match conditions.

Packet Size

Specifies the number of bytes to be displayed for each packet. If a packet header exceeds this size, the display is truncated for the packet header. The default value is 96 bytes.

Type the number of bytes you want to capture for each packet header—for example, 256.

Don't Resolve Addresses

Specifies that IP addresses are not to be resolved into hostnames in the packet headers displayed.

  • To prevent packet capture from resolving IP addresses to hostnames, select this check box.
  • To resolve IP addresses into hostnames, clear this check box.

No Timestamp

Suppresses the display of packet header timestamps.

  • To stop displaying timestamps in the captured packet headers, select this check box.
  • To display the timestamp in the captured packet headers, clear this check box.

Write Packet Capture File

Writes the captured packets to a file in PCAP format in /var/tmp. The files are named with the prefix jweb-pcap and the extension .pcap.

If you select this option, the decoded packet headers are not displayed on the packet capture page.

  • To save the captured packet headers to a file, select this check box.
  • To decode and display the packet headers on the J-Web page, clear this check box.

Packet Capture Results and Output Summary

Table 212 summarizes the output in the packet capture display.

Table 212: J-Web Packet Capture Results and Output Summary

Field

Description

timestamp

Time when the packet was captured. The timestamp 00:45:40.823971 means 00 hours (12.00 a.m.), 45 minutes, and 40.823971 seconds.

Note: The time displayed is local time.

direction

Direction of the packet. Specifies whether the packet originated from the Routing Engine (Out), or was destined for the Routing Engine (In).

protocol

Protocol for the packet.

In the sample output, IP indicates the Layer 3 protocol.

source address

Hostname, if available, or IP address and the port number of the packet's origin. If the Don't Resolve Addresses check box is selected, only the IP address of the source is displayed.

Note: When a string is defined for the port, the packet capture output displays the string instead of the port number.

destination address

Hostname, if available, or IP address of the packet's destination with the port number. If the Don't Resolve Addresses check box is selected, only the IP address of the destination and the port are displayed.

Note: When a string is defined for the port, the packet capture output displays the string instead of the port number.

protocol

Protocol for the packet.

In the sample output, TCP indicates the Layer 4 protocol.

data size

Size of the packet (in bytes).