SRX

Hi

How to use TCPDump to capture the In/Out traffic from the firewall interface (device self generated traffic).

Also how to read the output using wireshark (how to get a copy of the file)?

This is required for High-end firewalls.

Regards

Myasin

Hi

If it is indeed for self-generated traffic (such as routing protocols, management sessions, arp) then the following will work

monitor traffic interface ge-0/0/0.0 detail no-resolve size 1500

 And to write to a file, use hidden option

monitor traffic interface ge-0/0/0.0 detail no-resolve size 1500 write-file capture.pcap

 The file is written locally, to get it from SRX you can use any tool, such as WinSCP fo example.

--1--

edit forwarding-options

set packet-capture maximum-capture-size 500

set packet-capture file filename pcap-file

set packet-capture file files 100

set packet-capture file size 1024

set packet-capture file world-readable

set interface ge-0/0/0.0 family inet sampling input output

pcap files saved in /var/tmp

--2--

In shell , you can use the following commad:

tcpdump -i  <interface>

or

tcpdump -i  <interface>  host <ip addr>

or

tcpdump -i  <interface>  -w <filename> host <ip addr>

tcpdump is same as 'monitor traffic' and only captures self traffic to SRX. Tcpdump will not capture traffic that is transiting the SRX.

also, some useful KBs and links.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21563
http://kb.juniper.net/KB11709

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

http://www.tcpdump.org/tcpdump_man.html

thanks,

raheel