Performing a packet capture is easy to do on any Juniper branch series SRX.
Three sections of configuration are required: forwarding-options, interfaces and firewall. Examples are below:
set forwarding-options packet-capture file filename PCAP files 5 size 10m set interfaces ge-0/0/0 unit 0 family inet filter input PCAP set interfaces ge-0/0/0 unit 0 family inet filter output PCAP set firewall filter PCAP term PCAP1 from source-address 172.16.0.0/12 set firewall filter PCAP term PCAP1 from destination-address 192.168.0.0/16 set firewall filter PCAP term PCAP1 then sample set firewall filter PCAP term PCAP1 then accept set firewall filter PCAP term PCAP2 from source-address 192.168.0.0/16 set firewall filter PCAP term PCAP2 from destination-address 172.16.0.0/12 set firewall filter PCAP term PCAP2 then sample set firewall filter PCAP term PCAP2 then accept set firewall filter PCAP term ALLOW-EVERYTHING-ELSE then accept
The result looks as such:
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
filter {
input PCAP;
output PCAP;
}
}
}
}
}
forwarding-options {
packet-capture {
file filename PCAP files 5 size 10m;
}
}
firewall {
filter PCAP {
term PCAP1 {
from {
source-address {
172.16.0.0/12;
}
destination-address {
192.168.0.0/16;
}
}
then {
sample;
accept;
}
}
term PCAP2 {
from {
source-address {
192.168.0.0/16;
}
destination-address {
172.16.0.0/12;
}
}
then {
sample;
accept;
}
}
term ALLOW-EVERYTHING-ELSE {
then accept;
}
}
}
Alternatively, you can apply this filter on the loopback interface if you wish to capture all packets matching the filter criteria on all interfaces.
To read the PCAP file, simply enter into the shell and use tcpdump:
start shell tcpdump -r /var/tmp/PCAP.fe-0.0.0