Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

packet-capture

Syntax

Hierarchy Level

Description

Specify packet capture options to capture unknown application traffic.

You can use the packet capture of unknown applications functionality to gather more details about an unknown application on your security device. Once you’ve configured packet capture options on your security device, the unknown application traffic is gathered and stored on the device in a packet capture file (.pcap) at /var/log/pcap/ location.

Options

aggressive-mode

Capture all traffic before AppID classifies the applications. In this mode, the system captures all application traffic irrespective of the application system cache (ASC) entry. Packet capture starts for the first packet of the first session.
buffer-packets-limit

Maximum memory to buffer packets (bytes). Use this option to limit the memory available in the Packet Forwarding Engine for packet capture functionality.

  • Default: 1% of available data in shared memory

  • Range: 40 bytes to 5% of available data in shared memory

  • Default: 1 MB (for cSRX)

  • Range: 40 bytes through 5 MB
capture-interval

Timeout value in minutes to avoid repetitive capture of the same traffic. After this interval, the system continues to capture newer packet details for unknown applications until the capture limit is reached.

  • Default: 1440 minutes (24 hours).

  • Range: 1 through 525,600 seconds
capture-limit

Number of repetitive captures of the same traffic. Use this option to limit the number of times the same traffic can be repeatedly captured before the cache entry times out.

  • Default: 5

  • Range: 1 through 1000
global

Enable packet capture globally to capture all unknown application traffic. Another option is to enable capturing of unknown application traffic specific to a security policy.
max-bytes

Maximum number of TCP bytes per session (bytes). For TCP sessions, the count includes the actual payload data length and excludes IP/TCP headers for the maximum bytes limit.

If you are setting the packet capture at the security policy level, the packet capture concludes only after the final policy is applied even if the configured limit is reached.

Limitation—Jumbo frames can have up to 1500 bytes of the payload saved in the capture file.

  • Default: 6000 bytes

  • Range: 40 through 1,073,741,824
max-files

Maximum number of unique packet capture files to create before the oldest file is overwritten by a new file created.

  • Default: 100

    (Previously 25)

  • Range: 1 through 2500
max-packets

Maximum number of UDP packets per session.

  • Default: 10 packets

  • Range: 1 through 1000
no-inconclusive

Disable packet capturing of inconclusive traffic. This option disables the packet capture for the following sessions:

  • Sessions that are closed before the application identification or classification completes.

  • Sessions that are not getting classified even whn they reach the maximum packet capture limit.

If you do not configure this option, by default, the system captures packets for inconclusive sessions.
storage-limit

Maximum disk space (bytes) that can be used in the Routing Engine for packet capture files.

  • Default: 50 MB

  • Range: 1,048,576 through 4,294,967,295 bytes

Required Privilege Level

system

Release Information

Statement introduced in Junos OS Release 20.2R1.

Related Documentation