Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Specify packet capture options to capture unknown application traffic.

You can use the packet capture of unknown applications functionality to gather more details about an unknown application on your security device. Once you’ve configured packet capture options on your security device, the unknown application traffic is gathered and stored on the device in a packet capture file (.pcap) at /var/log/pcap/ location.



Capture all traffic before AppID classifies the applications. In this mode, the system captures all application traffic irrespective of the application system cache (ASC) entry. Packet capture starts for the first packet of the first session.


Maximum memory to buffer packets (bytes). Use this option to limit the memory available in the Packet Forwarding Engine for packet capture functionality.

  • Default: 1% of available data in shared memory

  • Range: 40 bytes to 5% of available data in shared memory

  • Default: 1 MB (for cSRX)

  • Range: 40 bytes through 5 MB


Timeout value in minutes to avoid repetitive capture of the same traffic. After this interval, the system continues to capture newer packet details for unknown applications until the capture limit is reached.

  • Default: 1440 minutes (24 hours).

  • Range: 1 through 525,600 seconds


Number of repetitive captures of the same traffic. Use this option to limit the number of times the same traffic can be repeatedly captured before the cache entry times out.

  • Default: 5

  • Range: 1 through 1000


Enable packet capture globally to capture all unknown application traffic. Another option is to enable capturing of unknown application traffic specific to a security policy.


Maximum number of TCP bytes per session (bytes). For TCP sessions, the count includes the actual payload data length and excludes IP/TCP headers for the maximum bytes limit.

If you are setting the packet capture at the security policy level, the packet capture concludes only after the final policy is applied even if the configured limit is reached.

Limitation—Jumbo frames can have up to 1500 bytes of the payload saved in the capture file.

  • Default: 6000 bytes

  • Range: 40 through 1,073,741,824


Maximum number of unique packet capture files to create before the oldest file is overwritten by a new file created.

  • Default: 100

    (Previously 25)
  • Range: 1 through 2500


Maximum number of UDP packets per session.

  • Default: 10 packets

  • Range: 1 through 1000


Disable packet capturing of inconclusive traffic. This option disables the packet capture for the following sessions:

  • Sessions that are closed before the application identification or classification completes.

  • Sessions that are not getting classified even whn they reach the maximum packet capture limit.

If you do not configure this option, by default, the system captures packets for inconclusive sessions.


Maximum disk space (bytes) that can be used in the Routing Engine for packet capture files.

  • Default: 50 MB

  • Range: 1,048,576 through 4,294,967,295 bytes

Required Privilege Level


Release Information

Statement introduced in Junos OS Release 20.2R1.