Search My Techie Guy

Thursday, May 19, 2016

How to capture tcp dump on juniper srx 5800 and analyze file using wireshark

Summary: 

How to take a tcp dump on Juniper SRX 5800. This tcp dump is of file type .pcap and can be analyzed using third party tools like wireshark.

Problem or Goal:

To analyze traffic traversing the firewall using wireshark

Cause:

For troubleshooting purposes

Solution:

Reference: How to create a PCAP packet capture on high-end SRX devices

Example:

Edit the config as below:

#set security datapath-debug capture-file my-capture
#set security datapath-debug capture-file format pcap
#set security datapath-debug capture-file size 1m
#set security datapath-debug capture-file files 5
#set security datapath-debug maximum-capture-size 1500
#set security datapath-debug action-profile do-capture event np-egress packet-dump
#set security datapath-debug action-profile do-capture event np-ingress packet-dump
#set security datapath-debug packet-filter my-filter action-profile do-capture
#set security datapath-debug packet-filter my-filter destination-prefix x.x.x.x/x
#commit 

To start the debug:

>request security datapath-debug capture start

To stop the debug:

>request security datapath-debug capture stop

You can use this command to show the captured packets, but the output doesn't make sense, you will have to export the file into third party tools like wireshark:

>show security datapath-debug capture

Before you pick the file to analyze it with wireshark, run this command:

>start shell user root
Password :
root% pwd
If you are not in /var/log;

root@% cd /var/log
root@% e2einfo -Ccapture -Snormalize -I my-capture -F my-capture.pcap

sucessfully convert 124 packets
root@% ls -ltr

You can use tools like WinSCP to copy the file from the SRX device to your computer.

When troubleshooting is finished, remove all datapath-debug configuration, including the datapath-debug configuration for packet capturing (packet-dump) which needs to be started/stopped manually. If any part of the debugging configuration remains active, it will continue using the resources of the device (CPU/memory).

#delete security datapath-debug
#commit

Problem Solved?

Yes.

No comments: