This article explains how to create a packet capture on a high-end SRX device that can be read via Wireshark or Ethereal. This also applies to high-end chassis clusters.
Note: The solution provided in this article is also documented more formally here: Example: Configuring End-to-End Debugging on SRX Series Device
The procedure in this article is applicable for the following devices:
-
SRX1400
-
SRX3400
-
SRX3600
-
SRX5400
-
SRX5600
-
SRX5800
For more information about obtaining packet captures on branch devices, refer to KB11709 - [SRX] How to Create a PCAP packet capture on a J-Series or SRX Branch device.
Packet capture on high-end SRX devices is done with the help of the datapath-debug
utility. Datapath debugging provides tracing and debugging utilities for multiple processing units along the packet-processing path.
For more information about datapath-debug
, refer to Understanding Data Path Debugging for SRX Series Devices.
WARNING: Datapath-debug
should not be used in IPv6 environments when using hash-based session distribution with Junos OS versions prior to Junos OS 15.1X49-D30.
The session distribution method in use can be located as follows:
root@SRX5K> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: Hash-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
-
Edit the security datapath-debug
option for the multiple processing units along the packet-processing path:
[edit]
user@host# edit security datapath-debug
-
Enable the capture file, file format, file size, and number of files. The size number limits the size of the capture file. After the size limit is reached, if the file number is specified, then the capture file will be rotated to filename x, where x is auto-incremented until it reaches the specified index, and then returns to zero. If no file index is specified, the packets will be discarded after the size limit is reached. The default size is 512 bytes.
[edit security datapath-debug]
user@host# set capture-file my-capture format pcap size 1m files 5
[edit security datapath-debug]
user@host# set maximum-capture-size 1500
-
Enable an action profile
with packet-dump
for both np-ingress
and np-egress
.
[edit security datapath-debug]
user@host# set action-profile do-capture event np-egress packet-dump
[edit security datapath-debug]
user@host# set action-profile do-capture event np-ingress packet-dump
-
Enable the packet filter, action, and filter options. The packet filter is set to my-filter
, and the action profile is set to do-capture
. In packet-filter
, different match criteria can be provided to capture specific traffic.
[edit security datapath-debug]
user@host# set packet-filter my-filter action-profile do-capture
[edit security datapath-debug]
user@host# set packet-filter my-filter source-prefix 1.2.3.4/32
Other packet filter options are also available:
[edit security datapath-debug]
user@host# set packet-filter my-filter ?
....
destination-port Match TCP/UDP destination port
destination-prefix Destination IPv4/IPv6 address prefix
interface Logical interface
protocol Match IP protocol type
source-port Match TCP/UDP source port
source-prefix Source IPv4/IPv6 address prefix
Note: Be sure to configure multiple packet filters to capture traffic. One packet filter may capture traffic only as specified in it, such as from one source to one destination. The same packet filter will not capture traffic in the reverse direction. You need to configure another packet filter to capture traffic in the reverse direction and specify the source and destination according to the response packet in it.
Procedure for obtaining captured packets
When the configuration is complete, start the datapath-debug
utility in the device. Note that capture does not start by itself; you must manually start it.
To start the debug:
user@host> request security datapath-debug capture start
To stop the debug:
user@host> request security datapath-debug capture stop
-
Remember to stop the debug process after you have finished capturing data. If you attempt to open the captured files without stopping the debug process, the files obtained cannot be opened through any third-party software.
-
After the captures are complete, you will be able to view the packets in the Command Line Interface (CLI) in HEX format by using the following command:
user@host> show security datapath-debug capture
-
If you would like to view the captured files in any third-party software (for example, Tcpdump, Wireshark), then you will need to remove certain fields in each of the packets. You need to log in as the root
user to change the format.
The following command must be run inside the shell and inside the /var/log
directory. Here, the file that was configured under security datapath-debug
is named my-capture,
and the packets in the captured files are extracted to the file my-capture.pcap
.
user@host> start shell
user@host% su
Password :
root% pwd
If you are not in /var/log;
root@% cd /var/log
root@% e2einfo -Ccapture -Snormalize -I my-capture -F my-capture.pcap
successfully convert 124 packets
root@% cd /var/log
root@% ls -l
total 18964
-rw-r--r-- 1 root wheel 80560 Apr 6 06:42 KR2
-rw-r----- 1 root wheel 774142 Apr 19 03:51 RPF-CHECK
-rw-r----- 1 root wheel 445638 Jun 21 11:48 RPF-CHECK-ON
-rw-r----- 1 root wheel 86453 Jun 2 20:31 RPF-CHECK-ON.0.gz
-rw-r--r-- 1 root wheel 275 Jul 20 19:38 __jsrpd_commit_check__
-rw-r--r-- 1 root wheel 0 Dec 21 2010 authd_sdb.log
-rw-r--r-- 1 root wheel 0 Jul 27 21:43 capture.pcap
-rw-r----- 1 root wheel 1975225 Aug 3 21:31 chassisd
-rw-r----- 1 root wheel 203000 Jul 1 08:52 chassisd.0.gz
-rw-r----- 1 root wheel 195019 Jun 3 10:20 chassisd.1.gz
-rw-r----- 1 root wheel 191531 Jun 3 09:49 chassisd.2.gz
-rw-r----- 1 root wheel 194656 Jun 3 08:54 chassisd.3.gz
-rw-r--r-- 1 root wheel 20835 Aug 3 21:23 cosd
-rw-r----- 1 root wheel 12672 Aug 3 21:34 datapcap
-rw-r--r-- 1 root wheel 10440 Aug 3 21:36 datapcap.pcap
-rw-r----- 1 root wheel 979500 Aug 3 21:26 dcd
-rw-r----- 1 root wheel 28712 Jun 3 06:44 dcd.0.gz
-rw-r----- 1 root wheel 27720 Jun 3 00:52 dcd.1.gz
-rw-r----- 1 root wheel 41132 Aug 3 21:26 debugtrace
When troubleshooting is finished, remove all traceoptions
configurations (not limited to flow traceoptions) and the complete datapath-debug
configuration. If any part of the debugging configuration remains active, it will continue using the resources of the device (CPU/memory).