Search My Techie Guy

Ad from yllix

Thursday, May 19, 2016

How to capture tcp dump on juniper srx 5800 and analyze file using wireshark


How to take a tcp dump on Juniper SRX 5800. This tcp dump is of file type .pcap and can be analyzed using third party tools like wireshark.

Problem or Goal:

To analyze traffic traversing the firewall using wireshark


For troubleshooting purposes


Reference: How to create a PCAP packet capture on high-end SRX devices


Edit the config as below:

#set security datapath-debug capture-file my-capture
#set security datapath-debug capture-file format pcap
#set security datapath-debug capture-file size 1m
#set security datapath-debug capture-file files 5
#set security datapath-debug maximum-capture-size 1500
#set security datapath-debug action-profile do-capture event np-egress packet-dump
#set security datapath-debug action-profile do-capture event np-ingress packet-dump
#set security datapath-debug packet-filter my-filter action-profile do-capture
#set security datapath-debug packet-filter my-filter destination-prefix x.x.x.x/x

To start the debug:

>request security datapath-debug capture start

To stop the debug:

>request security datapath-debug capture stop

You can use this command to show the captured packets, but the output doesn't make sense, you will have to export the file into third party tools like wireshark:

>show security datapath-debug capture

Before you pick the file to analyze it with wireshark, run this command:

>start shell user root
Password :
root% pwd
If you are not in /var/log;

root@% cd /var/log
root@% e2einfo -Ccapture -Snormalize -I my-capture -F my-capture.pcap

sucessfully convert 124 packets
root@% ls -ltr

You can use tools like WinSCP to copy the file from the SRX device to your computer.

When troubleshooting is finished, remove all datapath-debug configuration, including the datapath-debug configuration for packet capturing (packet-dump) which needs to be started/stopped manually. If any part of the debugging configuration remains active, it will continue using the resources of the device (CPU/memory).

#delete security datapath-debug

Problem Solved?

Post a Comment