This article explains how to create a packet capture on a high-end SRX device that can be read via Wireshark or Ethereal. This also applies to high-end chassis clusters.

 

---

Note: The solution provided in this article is also documented more formally here: Example: Configuring End-to-End Debugging on SRX Series Device

---

 

The procedure in this article is applicable for the following devices:

• SRX1400

• SRX3400

• SRX3600

• SRX5400

• SRX5600

• SRX5800

For more information about obtaining packet captures on branch devices, refer to KB11709 - [SRX] How to Create a PCAP packet capture on a J-Series or SRX Branch device.

 

Packet capture on high-end SRX devices is done with the help of the datapath-debug utility. Datapath debugging provides tracing and debugging utilities for multiple processing units along the packet-processing path.

For more information about datapath-debug, refer to Understanding Data Path Debugging for SRX Series Devices.

WARNING: Datapath-debug should not be used in IPv6 environments when using hash-based session distribution with Junos OS versions prior to Junos OS 15.1X49-D30.

The session distribution method in use can be located as follows:

root@SRX5K> show security flow status
  Flow forwarding mode:
  Inet forwarding mode: flow based
  Inet6 forwarding mode: drop
  MPLS forwarding mode: drop
  ISO forwarding mode: drop
Flow trace status
  Flow tracing status: off
Flow session distribution
  Distribution mode: Hash-based
Flow ipsec performance acceleration: off
Flow packet ordering
  Ordering mode: Hardware

1. Edit the security datapath-debug option for the multiple processing units along the packet-processing path:

[edit]
user@host# edit security datapath-debug

2. Enable the capture file, file format, file size, and number of files. The size number limits the size of the capture file. After the size limit is reached, if the file number is specified, then the capture file will be rotated to filename x, where x is auto-incremented until it reaches the specified index, and then returns to zero. If no file index is specified, the packets will be discarded after the size limit is reached. The default size is 512 bytes.

[edit security datapath-debug]
user@host# set capture-file my-capture format pcap size 1m files 5

[edit security datapath-debug]
user@host# set maximum-capture-size 1500

3. Enable an action profile with packet-dump for both np-ingress and np-egress.

[edit security datapath-debug]
user@host# set action-profile do-capture event np-egress packet-dump

[edit security datapath-debug]
user@host# set action-profile do-capture event np-ingress packet-dump

4. Enable the packet filter, action, and filter options. The packet filter is set to my-filter, and the action profile is set to do-capture. In packet-filter, different match criteria can be provided to capture specific traffic.

[edit security datapath-debug]
user@host# set packet-filter my-filter action-profile do-capture
[edit security datapath-debug]
user@host# set packet-filter my-filter source-prefix 1.2.3.4/32

Other packet filter options are also available:

[edit security datapath-debug]
user@host# set packet-filter my-filter ?
....
destination-port   Match TCP/UDP destination port
destination-prefix Destination IPv4/IPv6 address prefix
interface          Logical interface
protocol           Match IP protocol type
source-port        Match TCP/UDP source port
source-prefix      Source IPv4/IPv6 address prefix

Note: Be sure to configure multiple packet filters to capture traffic. One packet filter may capture traffic only as specified in it, such as from one source to one destination. The same packet filter will not capture traffic in the reverse direction. You need to configure another packet filter to capture traffic in the reverse direction and specify the source and destination according to the response packet in it.

Procedure for obtaining captured packets

When the configuration is complete, start the datapath-debug utility in the device. Note that capture does not start by itself; you must manually start it.

To start the debug:

user@host> request security datapath-debug capture start

To stop the debug:

user@host> request security datapath-debug capture stop

• Remember to stop the debug process after you have finished capturing data. If you attempt to open the captured files without stopping the debug process, the files obtained cannot be opened through any third-party software.

• After the captures are complete, you will be able to view the packets in the Command Line Interface (CLI) in HEX format by using the following command:

 user@host> show security datapath-debug capture

• If you would like to view the captured files in any third-party software (for example, Tcpdump, Wireshark), then you will need to remove certain fields in each of the packets. You need to log in as the root user to change the format.

  The following command must be run inside the shell and inside the /var/log directory. Here, the file that was configured under security datapath-debug is named my-capture, and the packets in the captured files are extracted to the file my-capture.pcap.

user@host> start shell
user@host% su
Password :
root% pwd
If you are not in /var/log;
root@% cd /var/log
root@% e2einfo -Ccapture -Snormalize -I my-capture -F my-capture.pcap

successfully convert 124 packets

• The files containing the captured data are under /var/log. View the files (capture-file and the packet-capture file created) under the /var/log directory.

root@% cd /var/log
root@% ls -l
total 18964
-rw-r--r-- 1 root wheel 80560 Apr 6 06:42 KR2
-rw-r----- 1 root wheel 774142 Apr 19 03:51 RPF-CHECK
-rw-r----- 1 root wheel 445638 Jun 21 11:48 RPF-CHECK-ON
-rw-r----- 1 root wheel 86453 Jun 2 20:31 RPF-CHECK-ON.0.gz
-rw-r--r-- 1 root wheel 275 Jul 20 19:38 __jsrpd_commit_check__
-rw-r--r-- 1 root wheel 0 Dec 21 2010 authd_sdb.log
-rw-r--r-- 1 root wheel 0 Jul 27 21:43 capture.pcap
-rw-r----- 1 root wheel 1975225 Aug 3 21:31 chassisd
-rw-r----- 1 root wheel 203000 Jul 1 08:52 chassisd.0.gz
-rw-r----- 1 root wheel 195019 Jun 3 10:20 chassisd.1.gz
-rw-r----- 1 root wheel 191531 Jun 3 09:49 chassisd.2.gz
-rw-r----- 1 root wheel 194656 Jun 3 08:54 chassisd.3.gz
-rw-r--r-- 1 root wheel 20835 Aug 3 21:23 cosd
-rw-r----- 1 root wheel 12672 Aug 3 21:34 datapcap
-rw-r--r-- 1 root wheel 10440 Aug 3 21:36 datapcap.pcap
-rw-r----- 1 root wheel 979500 Aug 3 21:26 dcd
-rw-r----- 1 root wheel 28712 Jun 3 06:44 dcd.0.gz
-rw-r----- 1 root wheel 27720 Jun 3 00:52 dcd.1.gz
-rw-r----- 1 root wheel 41132 Aug 3 21:26 debugtrace

When troubleshooting is finished, remove all traceoptions configurations (not limited to flow traceoptions) and the complete datapath-debug configuration. If any part of the debugging configuration remains active, it will continue using the resources of the device (CPU/memory).

 

2018-10-11: Command corrected in Solution section to root@% e2einfo -Ccapture -Snormalize -I my-capture -F my-capture.pcap.

2018-09-24: Updated IPv6 limitation warning, which was corrected in 15.1X49+D30+ and reviewed article for clarity and accuracy

2017-04-16: Added link to this example now documented in the technical documentation too.