Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

On-Device Packet Capture

On-device packet capture, or self-mirroring, allows you to have network packets coming into or going out of any network port on a device sent to that device's CPU and saved into a file.

On-Device Packet Capture

Overview

Port mirroring is a network-monitoring technique that allows you to have network packets copied from a port and sent as input to a monitoring port or device. On-device packet capture, or self-mirroring, allows you to have the copied network packets sent to the CPU and saved into a PCAP file. This feature, on-device packet capture, can help you with protocol and application analysis, network debugging and troubleshooting, network forensics, audit trails, and network-attack detection.

To use this feature, you need to:

  • Configure a standard port mirroring setup, including port-mirroring instances and firewall filters.

  • Configure the PCAP file, including filename, maximum size of the file, and write mode.

  • Use the operational commands to start and stop on-device packet capture (self-mirroring) and to clear the self-mirroring statistics.

Benefits

With on-device packet capture:

  • Sampled packets are sent to the CPU and written in a PCAP file, allowing you to debug and analyze issues in a live environment.

  • You don't need to have any devices connected to the network device on which you are self-mirroring the packets.

Guidelines and Limitations

Guidelines

  • Before you configure self-mirroring of packets, configure the port-mirroring instances and firewall filter as you would for standard port mirroring.

  • Each port-mirroring instance for self-mirroring must have its own "family" designation. The families for this feature are:

    • inet

    • inet6

    • any

  • The captured mirrored packet file will be available at /var/tmp/filename.

  • You can apply rate and max-packet-length values in the self-mirroring configuration just as you would for any port-mirroring configuration.

  • Configure a port-mirroring instance for either self-mirroring or for general port-mirroring, but not for both purposes at once.

  • By default, DDOS (distributed denial of service) protection is enabled. Policer limits of bandwidth 12000, burst size 15000, and policer recovery 300 are applied.

  • Mirrored packets take up to 60 seconds to be stored in the destination file.

  • If you change any self-mirroring parameters while the PCAP file is recording, the recording is not affected. If you change the filename while the file is recording, a new file is created and the recording is finished in the new file.

Limitations

  • If the sampling rate is aggressive (1:1), it impacts throughput of the system as packets are captured, and it increases the load on system resources. You can restrict the captured file size by setting the file length, or you can disable packet capture by issuing the disable command or the request forwarding-options port-mirroring instance instance-name self-mirror-stop command.

  • Port mirroring and discard actions in the egress direction are not supported.

  • Self-mirroring is not supported with the following configurations:

    • forwarding-class

    • policer

    • Multiple instances of self-mirroring with the same filename

    • Remote port mirroring and self-mirroring applied to the same instance

  • Mirrored copies of multiple interfaces require a captured file per interface or session.

  • The maximum number of port-mirror instances is 15.

Configure On-Device Packet Capture

Before you configure self-mirroring of packets, configure the port-mirroring instances and firewall filter as you would for standard port mirroring.

To configure on-device packet capture, provide an output filename and optionally specify the write mode for the file and the maximum size of the file:
Note:

The write mode for the output file determines whether the file is written over:

  • circular—The default; do not specify a mode if you want to use "circular" mode. In circular mode, the file is overwritten if the configured size and maximum file values are exceeded. The default file size is 5MB and the maximum number of files is 10.

  • linear—Specify linear mode if you want the writing to the file to stop if the file size exceeds the configured maximum-size value.
  1. set forwarding-options port-mirroring instance instance-name family family-name output file file-name
  2. set forwarding-options port-mirroring instance instance-name family family-name output file file-name (none | linear) max-size value

Start, Stop, or Clear On-Device Packet Capture

To start, stop, or clear on-device packet capture, use the following operational commands as needed:
Note:

  • You don't have to specify a family in any of the three commands; doing so is optional.

  • The duration of seconds before the start is 1–1800.

  • You don't have to specify an instance in the clear command; doing so is optional.

  • The clear command clears self-mirroring statistics and deletes the associated PCAP files.

  1. request forwarding-options port-mirroring instance instance-name family family-name self-mirror-start start-duration-seconds
  2. request forwarding-options port-mirroring instance instance-name family family-name self-mirror-stop
  3. clear forwarding-options port-mirroring instance instance-name family family-name

View the Self-Mirroring Transition State, Start/Stop, and Statistics

To view the configuration:
Note:

Captured mirrored packets in the file retain the L2 header on the WAN interface.