Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Using Packet Capture to Analyze Network Traffic

Packet Capture Overview

Packet capture is a tool that helps you to analyze network traffic and troubleshoot network problems. The packet capture tool captures real-time data packets traveling over the network for monitoring and logging.

Note:

Packet capture is supported on physical interfaces, reth interfaces, and tunnel interfaces, such as gr, ip, and lsq-/ls. However, packet capture is not supported on secure tunnel interface (st0).

Packets are captured as binary data, without modification. You can read the packet information offline with a packet analyzer such as Wireshark or tcpdump. If you need to quickly capture packets destined for or originating from the Routing Engine and analyze them online, you can use the J-Web packet capture diagnostic tool.

Note:

The packet capture tool does not support IPv6 packet capture.

You can use either the J-Web configuration editor or CLI configuration editor to configure packet capture.

Network administrators and security engineers use packet capture to perform the following tasks:

  • Monitor network traffic and analyze traffic patterns.

  • Identify and troubleshoot network problems.

  • Detect security breaches in the network, such as unauthorized intrusions, spyware activity, or ping scans.

Packet capture operates like traffic sampling on the device, except that it captures entire packets including the Layer 2 header and saves the contents to a file in libpcap format. Packet capture also captures IP fragments.

You cannot enable packet capture and traffic sampling on the device at the same time. Unlike traffic sampling, there are no tracing operations for packet capture.

Note:

You can enable packet capture and port mirroring simultaneously on a device.

This section contains the following topics:

Packet Capture on Device Interfaces

Packet capture is supported on the T1, T3, E1, E3, serial, Gigabit Ethernet, ADSL, G.SHDSL, PPPoE, and ISDN interfaces.

To capture packets on an ISDN interface, configure packet capture on the dialer interface. To capture packets on a PPPoE interface, configure packet capture on the PPPoE logical interface.

Packet capture supports PPP, Cisco HDLC, Frame Relay, and other ATM encapsulations. Packet capture also supports Multilink PPP (MLPPP), Multilink Frame Relay end-to-end (MLFR), and Multilink Frame Relay UNI/NNI (MFR) encapsulations.

You can capture all IPv4 packets flowing on an interface in the inbound or outbound direction. However, on traffic that bypasses the flow software module (protocol packets such as ARP, OSPF, and PIM), packets generated by the Routing Engine are not captured unless you have configured and applied a firewall filter on the interface in the outbound direction.

Tunnel interfaces support packet capture in the outbound direction only.

Use the J-Web configuration editor or CLI configuration editor to specify the maximum packet size, the filename to be used for storing the captured packets, the maximum file size, the maximum number of packet capture files, and the file permissions.

Note:

For packets captured on T1, T3, E1, E3, serial, and ISDN interfaces in the outbound (egress) direction, the size of the packet captured might be 1 byte less than the maximum packet size configured because of the packet loss priority (PLP) bit.

To modify encapsulation on an interface with packet capture configured, you must disable packet capture.

Firewall Filters for Packet Capture

When you enable packet capture on a device, all packets flowing in the direction specified in packet capture configuration (inbound, outbound, or both) are captured and stored. Configuring an interface to capture all packets might degrade the performance of the device. You can control the number of packets captured on an interface with firewall filters and specify various criteria to capture packets for specific traffic flows.

You must also configure and apply appropriate firewall filters on the interface if you need to capture packets generated by the host device, because interface sampling does not capture packets originating from the host device.

Packet Capture Files

When packet capture is enabled on an interface, the entire packet including the Layer 2 header is captured and stored in a file. You can specify the maximum size of the packet to be captured, up to 1500 bytes. Packet capture creates one file for each physical interface.

File creation and storage take place in the following way. Suppose you name the packet capture file pcap-file. Packet capture creates multiple files (one per physical interface), suffixing each file with the name of the physical interface; for example, pcap-file.fe-0.0.1 for the Gigabit Ethernet interface fe-0.0.1. When the file named pcap-file.fe-0.0.1 reaches the maximum size, the file is renamed pcap-file.fe-0.0.1.0. When the file named pcap-file.fe-0.0.1 reaches the maximum size again, the file named pcap-file.fe-0.0.1.0 is renamed pcap-file.fe-0.0.1.1 and pcap-file.fe-0.0.1 is renamed pcap-file.fe-0.0.1.0. This process continues until the maximum number of files is exceeded and the oldest file is overwritten. The pcap-file.fe-0.0.1 file is always the latest file.

Packet capture files are not removed even after you disable packet capture on an interface.

Analysis of Packet Capture Files

Packet capture files are stored in libpcap format in the /var/tmp directory. You can specify user or administrator privileges for the files.

Packet capture files can be opened and analyzed offline with tcpdump or any packet analyzer that recognizes the libpcap format. You can also use FTP or the Session Control Protocol (SCP) to transfer the packet capture files to an external device.

Note:

Disable packet capture before opening the file for analysis or transferring the file to an external device with FTP or SCP. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file.

Packet Capture from Operational Mode

Data path debugging or end-to-end debugging provides tracing and debugging at multiple processing units along the packet-processing path. Packet capture is one of the data path debug function. You can execute the packet capture from the operational mode with minimal impact to the production system without committing the configurations.

You can capture the packets using filters to define what packets to capture. The packet filter can filter out packets based on logical interface, protocol, source IP address prefix, source port, destination IP address prefix, and destination port. You can modify the file name, file type, file size, and capture size of the packet capture output. You can also extend the filters into two filters, and swap the values of filters.

Packet capture from operational mode is supported on SRX4600, SRX5400, SRX5600, and SRX5800.

To capture packets from the operational mode, you must perform the following steps:

  1. From the operational mode, define the packet filter to trace the type of traffic based on your requirement using the request packet-capture start CLI command. See request packet-capture start for the available packet capture filter options.
  2. Capture the required packets.
  3. You can use either the request packet-capture stop CLI command to stop the packet capture or after collecting the requested number of packets, the packet capturing stops automatically.
  4. View or analyze the captured packet data report.

Limitations of capturing packets from the operational mode are:

  1. The configuration mode packet capture and the operational mode packet capture cannot coexist.

  2. The operational mode packet capture is a one-time operation and the system does not store the history of this command.

  3. You should use the operational mode packet capture in low rate of traffic flow.

Example: Enable Packet Capture and Configure Firewall Filter on a Device

This example shows how to enable packet capture and to configure a firewall filter for packet capture and apply it to a logical interface on a device. You can configure firewall filter to restrict or filter the amount of traffic to be captured and to analyze network traffic and to troubleshoot network problems.

Requirements

Before you begin:

Overview

In this example, you set the maximum packet capture size in each file as 500 bytes. The range is from 68 through 1500, and the default is 68 bytes. You specify the target filename for the packet capture file as pcap-file. You then specify the maximum number of files to capture as 100. The range is from 2 through 10,000, and the default is 10 files. You set the maximum size of each file to 1024 bytes. The range is from 1,024 through 104,857,600, and the default is 512,000 bytes.

You set a firewall filter called dest-all and a term name called dest-term to capture packets from a specific destination address, which is 192.168.1.1/32. You define the match condition to accept the sampled packets. Finally, you apply the dest-all filter to all of the outgoing packets on interface fe-0/0/1.

If you apply a firewall filter on the loopback interface, it affects all traffic to and from the Routing Engine. If the firewall filter has a sample action, packets to and from the Routing Engine are sampled. If packet capture is enabled, then packets to and from the Routing Engine are captured in the files created for the input and output interfaces.

You specify that all users have permission to read the packet capture files.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To enable packet capture on a device:

  1. Set the maximum packet capture size.

  2. Specify the target filename.

  3. Specify the maximum number of files to capture.

  4. Specify the maximum size of each file.

  5. Specify that all users have permission to read the file.

  6. Configure firewall filter for packet capture.

  7. Define the match condition and its action. The term allow-all-else is used to make sure that the SRX does not drop any other traffic.

  8. Apply the firewall filter on the interface to capture the incoming and outgoing packets.

  9. Commit to activate the packet capture.

  10. Deactivate the packet capture to stop the collection of objects.

Results

From configuration mode, confirm your configuration by entering the run show forwarding-options and run show firewall filter dest-all commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Firewall Filter for Packet Capture Configuration

Purpose

Verify that the firewall filter for packet capture is configured on the device.

Action

From configuration mode, enter the run show forwarding-options and run show firewall filter dest-all commands. Verify that the output shows the intended file configuration for capturing packets sent to the destination address.

Purpose

Verify the captured packets is stored under the /var/tmp directory on the device.

Action

From operational mode, enter the file list /var/tmp/ command.

Verifying Captured Packets

Purpose

Verify that the packet capture file is stored under the /var/tmp directory and the packets can be analyzed offline.

Action
  1. Disable packet capture.

    Using FTP, transfer a packet capture file (for example, 126b.fe-0.0.1), to a server where you have installed packet analyzer tools (for example, tools-server).

    1. From configuration mode, connect to tools-server using FTP.

    2. Navigate to the directory where packet capture files are stored on the device.

    3. Copy the packet capture file that you want to analyze to the server, for example 126b.fe-0.0.1.

    4. Return to configuration mode.

  2. Open the packet capture file on the server with tcpdump or any packet analyzer that supports libpcap format and review the output.

Example: Configure Packet Capture on an Interface

This example shows how to configure packet capture on an interface to analyze traffic.

Requirements

Before you begin:

Overview

In this example, you create an interface called fe-0/0/1 and then configure the direction of the traffic for which you are enabling packet capture on the logical interface as inbound and outbound.

Note:

On traffic that bypasses the flow software module (protocol packets such as ARP, OSPF, and PIM), packets generated by the Routing Engine are not captured unless you have configured and applied a firewall filter on the interface in the output direction.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure packet capture on an interface:

  1. Create an interface.

  2. Configure the direction of the traffic.

  3. If you are done configuring the device, commit the configuration.

Verification

Verifying the Packet Capture Configuration

Purpose

Confirm that the configuration is working properly.

Verify that packet capture is configured on the interface.

Action

From configuration mode, enter the run show interfaces fe-0/0/1 command.

Disable Packet Capture

You must disable packet capture before opening the packet capture file for analysis or transferring the file to an external device. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file.

To disable packet capture, enter from configuration mode:

If you are done configuring the device, enter commit from configuration mode.

Modify Encapsulation on Interfaces with Packet Capture Configured

Before modifying the encapsulation on a device interface that is configured for packet capture, you must disable packet capture and rename the latest packet capture file. Otherwise, packet capture saves the packets with different encapsulations in the same packet capture file. Packet files containing packets with different encapsulations are not useful, because packet analyzer tools like tcpdump cannot analyze such files.

After modifying the encapsulation, you can safely reenable packet capture on the device.

To change the encapsulation on interfaces with packet capture configured:

  1. Disable packet capture (see Disabling Packet Capture).
  2. Enter commit from configuration mode.
  3. Rename the latest packet capture file on which you are changing the encapsulation with the .chdsl extension.
    1. From operational mode, access the local UNIX shell.
    2. Navigate to the directory where packet capture files are stored.
    3. Rename the latest packet capture file for the interface on which you are changing the encapsulation; for example fe.0.0.0.
    4. Return to operational mode.
  4. Change the encapsulation on the interface using the J-Web user interface or CLI configuration editor.
  5. If you are done configuring the device, enter commit from configuration mode.
  6. Reenable packet capture (see Example: Enabling Packet Capture on a Device).
  7. If you are done configuring the device, enter commit from configuration mode.

Delete Packet Capture Files

Deleting packet capture files from the /var/tmp directory only temporarily removes the packet capture files. Packet capture files for the interface are automatically created again the next time a packet capture configuration change is committed or as part of a packet capture file rotation.

To delete a packet capture file:

  1. Disable packet capture (see Disabling Packet Capture).
  2. Delete the packet capture file for the interface.
    1. From operational mode, access the local UNIX shell.
    2. Navigate to the directory where packet capture files are stored.
    3. Delete the packet capture file for the interface; for example pcap-file.fe.0.0.0.
    4. Return to operational mode.
  3. Reenable packet capture (see Example: Enabling Packet Capture on a Device).
  4. If you are done configuring the device, enter commit from configuration mode.

Display Packet Headers

Enter the monitor traffic command to display packet headers transmitted through network interfaces with the following syntax:

Note:

Using the monitor traffic command can degrade system performance. We recommend that you use filtering options—such as count and matching—to minimize the impact to packet throughput on the system.

Table 1 describes the monitor traffic command options.

Table 1: CLI monitor traffic Command Options

Option

Description

absolute-sequence

(Optional) Displays the absolute TCP sequence numbers.

count number

(Optional) Displays the specified number of packet headers. Specify a value from 0 through 100,000. The command quits and exits to the command prompt after this number is reached.

interface interface-name

(Optional) Displays packet headers for traffic on the specified interface. If an interface is not specified, the lowest numbered interface is monitored.

layer2-headers

(Optional) Displays the link-layer packet header on each line.

matching "expression"

(Optional) Displays packet headers that match an expression enclosed in quotation marks (" "). Table 2 through Table 4 list match conditions, logical operators, and arithmetic, binary, and relational operators you can use in the expression.

no-domain-names

(Optional) Suppresses the display of the domain name portion of the hostname.

no-promiscuous

(Optional) Specifies not to place the monitored interface in promiscuous mode.

In promiscuous mode, the interface reads every packet that reaches it. In nonpromiscuous mode, the interface reads only the packets addressed to it.

no-resolve

(Optional) Suppresses the display of hostnames.

no-timestamp

(Optional) Suppresses the display of packet header timestamps.

print-ascii

(Optional) Displays each packet header in ASCII format.

print-hex

(Optional) Displays each packet header, except link-layer headers, in hexadecimal format.

size bytes

(Optional) Displays the number of bytes for each packet that you specify. If a packet header exceeds this size, the displayed packet header is truncated. The default value is 96.

brief

(Optional) Displays minimum packet header information. This is the default.

detail

(Optional) Displays packet header information in moderate detail. For some protocols, you must also use the size option to see detailed information.

extensive

(Optional) Displays the most extensive level of packet header information. For some protocols, you must also use the size option to see extensive information.

To quit the monitor traffic command and return to the command prompt, press Ctrl-C.

To limit the packet header information displayed by the monitor traffic command, include the matching "expression" option. An expression consists of one or more match conditions listed in Table 2, enclosed in quotation marks (" "). You can combine match conditions by using the logical operators listed in Table 3 (shown in order of highest to lowest precedence).

For example, to display TCP or UDP packet headers, enter:

To compare the following types of expressions, use the relational operators listed in Table 4 (listed from highest to lowest precedence):

  • Arithmetic—Expressions that use the arithmetic operators listed in Table 4.

  • Binary—Expressions that use the binary operators listed in Table 4.

  • Packet data accessor—Expressions that use the following syntax:

    Replace protocol with any protocol in Table 2. Replace byte-offset with the byte offset, from the beginning of the packet header, to use for the comparison. The optional size parameter represents the number of bytes examined in the packet header—1, 2, or 4 bytes.

    For example, the following command displays all multicast traffic:

Table 2: CLI monitor traffic Match Conditions

Match Condition

Description

Entity Type

host [address | hostname]

Matches packet headers that contain the specified address or hostname. You can preprend any of the following protocol match conditions, followed by a space, to host: arp, ip, rarp, or any of the Directional match conditions.

network address

Matches packet headers with source or destination addresses containing the specified network address.

network address mask mask

Matches packet headers containing the specified network address and subnet mask.

port [port-number | port-name]

Matches packet headers containing the specified source or destination TCP or UDP port number or port name.

Directional  

destination

Matches packet headers containing the specified destination. Directional match conditions can be prepended to any Entity Type match conditions, followed by a space.

source

Matches packet headers containing the specified source.

source and destination

Matches packet headers containing the specified source and destination.

source or destination

Matches packet headers containing the specified source or destination.

Packet Length

less bytes

Matches packets with lengths less than or equal to the specified value, in bytes.

greater bytes

Matches packets with lengths greater than or equal to the specified value, in bytes.

Protocol

arp

Matches all ARP packets.

ether

Matches all Ethernet frames.

ether [broadcast | multicast]

Matches broadcast or multicast Ethernet frames. This match condition can be prepended with source or destination.

ether protocol [address | (\arp | \ip | \rarp)

Matches Ethernet frames with the specified address or protocol type. The arguments arp, ip, and rarp are also independent match conditions, so they must be preceded with a backslash (\) when used in the ether protocol match condition.

icmp

Matches all ICMP packets.

ip

Matches all IP packets.

ip [broadcast | multicast]

Matches broadcast or multicast IP packets.

ip protocol [address | (\icmp | igrp | \tcp | \udp)]

Matches IP packets with the specified address or protocol type. The arguments icmp, tcp, and udp are also independent match conditions, so they must be preceded with a backslash (\) when used in the ip protocol match condition.

isis

Matches all IS-IS routing messages.

rarp

Matches all RARP packets.

tcp

Matches all TCP packets.

udp

Matches all UDP packets.

Table 3: CLI monitor traffic Logical Operators

Logical Operator

Description

!

Logical NOT. If the first condition does not match, the next condition is evaluated.

&&

Logical AND. If the first condition matches, the next condition is evaluated. If the first condition does not match, the next condition is skipped.

||

Logical OR. If the first condition matches, the next condition is skipped. If the first condition does not match, the next condition is evaluated.

()

Group operators to override default precedence order. Parentheses are special characters, each of which must be preceded by a backslash (\).

Table 4: CLI monitor traffic Arithmetic, Binary, and Relational Operators

Operator

Description

Arithmetic Operator

+

Addition operator.

Subtraction operator.

/

Division operator.

Binary Operator

&

Bitwise AND.

*

Bitwise exclusive OR.

|

Bitwise inclusive OR.

Relational Operator

<=

A match occurs if the first expression is less than or equal to the second.

>=

A match occurs if the first expression is greater than or equal to the second.

<

A match occurs if the first expression is less than the second.

>

A match occurs if the first expression is greater than the second.

=

A match occurs if the first expression is equal to the second.

!=

A match occurs if the first expression is not equal to the second.

The following is sample output from the monitor traffic command: