Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Includes video] How to create a PCAP packet capture on a SRX branch device



Article ID: KB11709 KB Last Updated: 17 Jul 2020Version: 24.0

This article provides video and text instructions on how to create a PCAP packet capture, on a SRX Branch device, that can be read via Wireshark or Ethereal.


When troubleshooting, a packet capture is very useful. This is best accomplished by performing a packet capture outside of the SRX device. However, under certain instances, having a PC or server inline for Ethereal/Wireshark or tcpdump captures may not be possible. So, the SRX Branch devices (SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, SRX650, SRX300 series, SRX1500, SRX4100. SRX4200) can directly perform a packet capture. The steps to do this are documented in the solution below.


  1. The PCAP packet-capture can only capture IPv4 protocol traffic. 
  2. If you use packet capture on reth interfaces, two files are created, one for ingress packets and the other for egress packets based on the reth interface name. These files can be merged outside of the device using tools such as Wireshark or Mergecap.

Go to the KBTV video or text instructions below:

Video format:


Text format:

To obtain the packet capture on branch SRX devices, perform the following steps:

Note:  For information on obtaining packet-captures on high-end SRX devices, refer to KB21563 - How to capture packets on High-End SRX devices.

Step 1:  Configure forwarding options:

To do this, navigate to forwarding-options and then to packet-capture hierarchy as below:
user@host# edit forwarding-options packet-capture

[edit forwarding-options packet-capture]

 Specify a file name for the packet capture and set the maximum-capture-size to 1500 as below:

[edit forwarding-options packet-capture]
user@host# set file filename testpacketcapture

[edit forwarding-options packet-capture]
user@host# set maximum-capture-size 1500

[edit forwarding-options packet-capture]
user@host# show
file filename testpacketcapture;
maximum-capture-size 1500;

[edit forwarding-options packet-capture]


Step 2:  Configure firewall filter for packet capture.

This is strongly recommended because with the firewall filter, the amount of traffic to be capture can be restricted, and it is less CPU intensive, as compared without filters.

To do this, set the filter, term name, define the match condition, and its action.

For example, the firewall filter below will collect traffic that arrives on the interface with a source address of AND destination-address of AND vice versa. The term allow-all-else is used to make sure that the SRX does not drop any other traffic, but do not sample it either.

user@host# set firewall filter PCAP term 1 from source-address
user@host# set firewall filter PCAP term 1 from destination-address
user@host# set firewall filter PCAP term 1 then sample
user@host# set firewall filter PCAP term 1 then accept
user@host# set firewall filter PCAP term 2 from source-address
user@host# set firewall filter PCAP term 2 from destination-address
user@host# set firewall filter PCAP term 2 then sample
user@host# set firewall filter PCAP term 2 then accept
user@host# set firewall filter PCAP term allow-all-else then accept


Step 3:  Apply firewall filter to desired interface.

Decide which interface you want to capture the packets on. This must be an Ethernet interface. For this example, interface ge-0/0/0 is used.

Apply the firewall filter on the desired interface for the input and output direction:

user@host# set interfaces ge-0/0/0 unit 0 family inet filter output PCAP
user@host# set interfaces ge-0/0/0 unit 0 family inet filter input PCAP

Step 4:  Commit to activate the packet capture.

user@host# commit

Once you commit, then run your test to pass the traffic that needs to be captured.

Once the test is complete, deactivate the packet capture to stop the collection of packets. To do this, remove the packet-capture and sampling configuration that was just added above and commit. A quick way to do this is using rollback:

user@host# rollback 1
user@host# commit


Step 5:  Copy packet capture file from the SRX device, and view it with your PCAP utility.

The captured file is located in the /var/tmp directory and is formatted in the PCAP format. You can find the file with the file list command.

user@host> file list /var/tmp/ | match testpacketcapture*

Copy this file to your PC.

The packet capture file created can be viewed with Wireshark, Ethereal, or other PCAP packet capture utility.
Modification History:
2020-07-16: Minor non-technical edits.
2020-03-26: ​Article reviewed for accuracy; it is valid and accurate
2018-02-21: Added note regarding the use of packet capture on reth interfaces
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search