Packet Capture on SRX

on

Use firewall Filter to capture the packet to a file.

1. Configure forwarding options:
set forwarding-options packet-capture file filename MyCapture size 1000000
set forwarding-options packet-capture maximum-capture-size 1500

 2. Configure firewall filter for packet capture
set firewall filter PCAP term 1 from source-address 192.168.2.88/32
set firewall filter PCAP term 1 from destination-address 192.168.2.182/32
set firewall filter PCAP term 1 from protocol tcp
set firewall filter PCAP term 1 then sample
set firewall filter PCAP term 1 then accept
set firewall filter PCAP term 2 from source-address 192.168.2.182/32
set firewall filter PCAP term 2 from destination-address 192.168.2.88/32
set firewall filter PCAP term 2 from protocol tcp
set firewall filter PCAP term 2 then sample
set firewall filter PCAP term 2 then accept
set firewall filter PCAP term Allow-ALL-Else then accept

 3. Apply firewall fIlter to desired interface then commit it.
set interfaces fe-0/0/0 unit 0 family inet filter input PCAP
set interfaces fe-0/0/0 unit 0 family inet filter output PCAP

 commit

4. Display Capture
> file list /var/tmp | match Mycapture

  jliu@SRX100> start shell
% cd /var/tmp
% ls
MyCapture.fe-0.0.0              gksdchk.log                     policy_status
cleanup-pkgs.log                gres-tp                         rtsdb
dhcpd.core-tarball.0.tgz        install                         sampled.pkts
eedebug_bin_file                krt_gencfg_filter.txt           spu_kmd_init
event_tags.php                  pics                            vi.recover
%
% tcpdump -r MyCapture.fe-0.0.0
Reverse lookup for 192.168.2.182 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use to avoid reverse lookups on IP addresses.
00:59:54.576551  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: S 704758831:704758831(0) win 8192
00:59:54.576669 Out IP 192.168.2.88.telnet > 192.168.2.182.15871: S 3511893291:3511893291(0) ack 704758832 win 65535
00:59:54.576800  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: . ack 1 win 4380
00:59:54.578019  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: P 1:22(21) ack 1 win 4380
00:59:54.578172 Out IP 192.168.2.88.telnet > 192.168.2.182.15871: P 1:16(15) ack 22 win 32839
00:59:54.578265  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: P 22:25(3) ack 16 win 4376
00:59:54.578349  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: P 25:28(3) ack 16 win 4376
00:59:54.578423 Out IP 192.168.2.88.telnet > 192.168.2.182.15871: P 16:28(12) ack 25 win 32848
00:59:54.578510  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: P 28:37(9) ack 28 win 4373
00:59:54.578603 Out IP 192.168.2.88.telnet > 192.168.2.182.15871: P 28:46(18) ack 37 win 32845
00:59:54.578676  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: P 37:54(17) ack 46 win 4368
00:59:54.578761  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: P 54:60(6) ack 46 win 4368
00:59:54.578844  In IP 192.168.2.182.15871 > 192.168.2.88.telnet: P 60:71(11) ack 46 win 4368
00:59:54.578916 Out IP 192.168.2.88.telnet > 192.168.2.182.15871: . ack 60 win 32847
00:59:54.579002 Out IP 192.168.2.88.telnet > 192.168.2.182.15871: P 46:58(12) ack 71 win 32850

5. Remove the capture
rollback 1
commit

 

Use Monitor Traffic for real time capture for packet targets to SRX

monitor traffic interface reth0.0 matching "port ssh"
monitor traffic interface reth0.0 matching "host 192.168.1.1"

Comments

Post a Comment