Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Set packet filter for taking the datapath-debug action. A filter is defined to filter traffic, then an action profile is applied to the filtered traffic. Be sure to configure multiple packet filters to capture the traffic. One packet filter only captures the traffic as specified in it, such as from one source to one destination. The same packet filter will not capture the traffic in the reverse direction. You need to configure another packet filter to capture the traffic in reverse direction and specify the source and destination according to the response packet in it. The action profile specifies a variety of actions on the processing unit. A maximum of four filters are supported at the same time. Packet filters can be configured with source and destination prefix and port (including ranges), and protocol.

Action-profile settings have no specific minimum setting, it is based on trace, count, packet summary and packet-dump. Enabling end-to-end debugging without or with a very broad filter is not recommended. This could result in a high PFE CPU usage. Therefore when selecting what to capture through a filter care must be taken. List as many and specific criteria which then results in the minimum amount of traffic to be captured.


Packet filter is supported on SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices.


  • action-profile profile-name—Identify the action profile to use. You can specify the name of the action profile to use. Using the request security action-profile command, you can set the action for the packet match for a specified filter. Action-profile must be defined.

  • destination-port (port-range | protocol name)—Specify a destination port to match TCP/UDP destination port.

  • destination-prefix destination-prefix—Specify a destination IPv4/IPv6 address prefix.

  • interface logical-interface-name—Specify a logical interface name.

  • protocol (protocol-number | protocol-name—Match IP protocol type.

  • source-port (port-range | protocol-name—Match TCP/UDP source port.

  • source-prefix source-prefix—Specify a source IP address prefix.

Required Privilege Level

security—To view this in the configuration

security-control—To add this to the configuration.

Release Information

Command introduced in Junos OS Release 9.6 ; Support for IPv6 addresses for the destination-prefix and source-prefix options added in Junos OS Release 10.4.