Knowledge Search


[SRX] Example - How to create a PCAP packet capture on high-end SRX devices

  [KB21563] Show Article Properties


This article explains how to create a PCAP packet capture on an SRX high-end device that can be read via Wireshark or Ethereal. This also applies to high-end chassis clusters.


How to capture packets on a high-end SRX device. This is applicable for the following devices:

  • SRX1400
  • SRX3400
  • SRX3600
  • SRX5400
  • SRX5600
  • SRX5800

For information about obtaining packet captures on branch devices, refer to KB11709 - [SRX] How to Create a PCAP packet capture on a J-Series or SRX Branch device.


Packet capture on SRX high-end devices is done with the help of the datapath-debug utility. Datapath debugging provides tracing and debugging utilities to multiple processing units along the packet-processing path.

For more information on datapath-debug, refer to Understanding Data Path Debugging for SRX Series Devices.

WARNING: Datapath-debug should not be used in IPv6 environments when using hash-based session distribution.
               The session distribution method in use can be located as follows:

root@SRX5K> show security flow status
  Flow forwarding mode:
  Inet forwarding mode: flow based
  Inet6 forwarding mode: drop
  MPLS forwarding mode: drop
  ISO forwarding mode: drop
Flow trace status
  Flow tracing status: off
Flow session distribution
  Distribution mode: Hash-based
Flow ipsec performance acceleration: off
Flow packet ordering
  Ordering mode: Hardware

Note: The following steps are also documented more formally here: Example: Configuring End-to-End Debugging on SRX Series Device.

  1. Edit the security datapath-debug option for the multiple processing units along the packet-processing path:

    user@host# edit security datapath-debug

  2. Enable the capture file, the file format, the file size, and the number of files. The size number limits the size of the capture file. After the limit size is reached, if the file number is specified, then the capture file will be rotated to filename x, where x is auto-incremented until it reaches the specified index and then returns to zero. If no file index is specified, the packets will be discarded after the size limit is reached. The default size is 512 bytes.

    [edit security datapath-debug]
    user@host# set capture-file my-capture format pcap size 1m files 5

    [edit security datapath-debug]
    user@host# set maximum-capture-size 1500

  3. Enable action profile <profile-name> with packet-dump for both np-ingress and np-egress.

    [edit security datapath-debug]
    user@host# set action-profile do-capture event np-egress packet-dump

    [edit security datapath-debug]
    user@host# set action-profile do-capture event np-ingress packet-dump

  4. Enable packet filter, action, and filter options. The packet filter is set to my-filter, and the action profile is set to do-capture. In the packet-filter, different match criteria can be provided to capture specific traffic.

    [edit security datapath-debug]
    user@host# set packet-filter my-filter action-profile do-capture

    [edit security datapath-debug]
    user@host# set packet-filter my-filter source-prefix

    Other packet filter options are available:

    [edit security datapath-debug]
    user@host# set packet-filter my-filter ?
    destination-port   Match TCP/UDP destination port
    destination-prefix Destination IPv4/IPv6 address prefix
    interface          Logical interface
    protocol           Match IP protocol type
    source-port        Match TCP/UDP source port
    source-prefix      Source IPv4/IPv6 address prefix


Note: Be sure to configure multiple packet filters to capture the traffic. One packet filter only captures the traffic as specified in it, such as from one source to one destination. The same packet filter will not capture the traffic in the reverse direction. You need to configure another packet filter to capture the traffic in reverse direction and specify the source and destination according to the response packet in it.

Procedure for obtaining the captured packets:

When the configuration is complete, start the datapath-debug utility in the device. Capture does not start by itself; you must manually start it.

To start the debug:

user@host> request security datapath-debug capture start

To stop the debug:

user@host> request security datapath-debug capture stop
  • Remember to stop the debug process after you have finished capturing the data. If you attempt to open the captured files without stopping the debug process, the files obtained cannot be opened through any third-party software.
  • After the captures are complete, you will be able to view the packets in the CLI in HEX format using the command:

     user@host> show security datapath-debug capture
  • If you would like to view the captured files in any third-party software (e.g., Tcpdump, Wireshark), then you will need to remove certain fields in each of the packets. You need to log in as root user to change the format.

    The following command must be run inside the shell and inside the /var/log directory. Here, the file that was configured under security datapath-debug is named my-capture, and the packets in the captured files are extracted to the file my-capture.pcap.

user@host> start shell
user@host% su
Password :
root% pwd
If you are not in /var/log;
root@% cd /var/log
root@% e2einfo -Ccapture -Snormalize -I my-capture -F my-capture.pcap

sucessfully convert 124 packets

The files containing the captured data are under /var/log. View the files (capture-file and the packet-capture file created) under the /var/log directory.

root@% cd /var/log
root@% ls -l
total 18964
-rw-r--r-- 1 root wheel 80560 Apr 6 06:42 KR2
-rw-r----- 1 root wheel 774142 Apr 19 03:51 RPF-CHECK
-rw-r----- 1 root wheel 445638 Jun 21 11:48 RPF-CHECK-ON
-rw-r----- 1 root wheel 86453 Jun 2 20:31 RPF-CHECK-ON.0.gz
-rw-r--r-- 1 root wheel 275 Jul 20 19:38 __jsrpd_commit_check__
-rw-r--r-- 1 root wheel 0 Dec 21 2010 authd_sdb.log
-rw-r--r-- 1 root wheel 0 Jul 27 21:43 capture.pcap
-rw-r----- 1 root wheel 1975225 Aug 3 21:31 chassisd
-rw-r----- 1 root wheel 203000 Jul 1 08:52 chassisd.0.gz
-rw-r----- 1 root wheel 195019 Jun 3 10:20 chassisd.1.gz
-rw-r----- 1 root wheel 191531 Jun 3 09:49 chassisd.2.gz
-rw-r----- 1 root wheel 194656 Jun 3 08:54 chassisd.3.gz
-rw-r--r-- 1 root wheel 20835 Aug 3 21:23 cosd
-rw-r----- 1 root wheel 12672 Aug 3 21:34 datapcap
-rw-r--r-- 1 root wheel 10440 Aug 3 21:36 datapcap.pcap

-rw-r----- 1 root wheel 979500 Aug 3 21:26 dcd
-rw-r----- 1 root wheel 28712 Jun 3 06:44 dcd.0.gz
-rw-r----- 1 root wheel 27720 Jun 3 00:52 dcd.1.gz
-rw-r----- 1 root wheel 41132 Aug 3 21:26 debugtrace
When troubleshooting is finished, remove all traceoptions configurations (not limited to flow traceoptions) and the complete datapath-debug configuration, including the datapath-debug configuration for packet capturing (packet-dump) which needs to be started/stopped manually. If any part of the debugging configuration remains active, it will continue using the resources of the device (CPU/memory).
Modification History:
2017-04-16: Added link to this example now documented in the technical documentation too. 
Related Links: