SRX Services Gateway
Reply
Contributor
monodactylus
Posts: 23
Registered: ‎03-07-2010
0

tcpdump, wireshark, and junos 10.1R1.8

Hello,

 

     I'm having problems running tcpdump at the prompt on a srx-210 running junos 10.1R1.8.  Typically on linux I'll run something like this:

 

tcpdump -Xvvvni interface -s0 -w test.pcap host 10.10.10.10

 

    First when I try to use a snap length of zero, usually on linux it will capture the complete packet...how do I do this in junos?  I've just been putting some large number after the -s option for now i.e. 100000, but I'm thinking there's probably a better way?

 

    Next, when running this command on in junos, then scp'ing over to my laptop to open up in wireshark and look at.  Wireshark complains that it cannot open up a type 200 capture.  Does anyone know what options should I be adding to make it so this doesn't happen?

 

Thanks,

Will

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: tcpdump, wireshark, and junos 10.1R1.8

In shell , you can use the following commad:

 

tcpdump -i  <interface>

or

tcpdump -i  <interface>  host <ip addr>

or

tcpdump -i  <interface>  -w <filename> host <ip addr>

 

Thanks

Atif

Kudos appreciated

Trusted Contributor
bufo333
Posts: 51
Registered: ‎12-22-2009

Re: tcpdump, wireshark, and junos 10.1R1.8

[ Edited ]

edit forwarding-options

set packet-capture maximum-capture-size 500

set packet-capture file filename pcap-file

set packet-capture file files 100

set packet-capture file size 1024

set packet-capture file world-readable

 

set interface ge-0/0/0.0 family inet sampling input output

 

 

commit

 

 Feel free to change the size of each capture file.

 

pcap files saved in /var/tmp

John Burns
Contributor
PowerRanger
Posts: 62
Registered: ‎07-08-2010
0

Re: tcpdump, wireshark, and junos 10.1R1.8

Hi,

 

I also tried to use Tcpdump to capture SIP but it didn't work.

 

%tcpdump -ni reth0 -s 0 port 5060 -vvv -w /var/tmp/capture => invalid snaplen 0

 

%tcpdump -ni reth0 port 5060 -vvv  -w /var/tmp/capture => Syntax error

 

The tcpdump command has been modified from juniper?

Contributor
Telnet-1
Posts: 200
Registered: ‎05-05-2010
0

Re: tcpdump, wireshark, and junos 10.1R1.8

[ Edited ]

Hi arizvi ,

~tcpdump -i  <interface>  host <ip addr>

Will that get traffic with dst-ip  = host ip or with src-ip = host ip ?

What if i want to see traffic with src-ip & dst-ip  = X ( ie: ping request  & ping reply ) ?

~tcpdump -i  <interface>  -w <filename> host <ip addr>

How can i view this file ?

Can you paste a link containing more options & details

 

Contributor
devol
Posts: 23
Registered: ‎06-22-2008
0

Re: tcpdump, wireshark, and junos 10.1R1.8

running tcpdump from the shell will only capture control plane traffic. Its similar to running a monitor traffic command in op mode. 

 

You need to use traffic sampling if you want to capture traffic flowing through the data plane of the device.

Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: tcpdump, wireshark, and junos 10.1R1.8


bufo333 wrote:

edit forwarding-options

set packet-capture maximum-capture-size 500

set packet-capture file filename pcap-file

set packet-capture file files 100

set packet-capture file size 1024

set packet-capture file world-readable

 

set interface ge-0/0/0.0 family inet sampling input output

 

 

commit

 

 Feel free to change the size of each capture file.

 

pcap files saved in /var/tmp


Correct.... and if Johnny Burns says it, you can take it to the bank! (EJohnson @ GPC)

________________________________________________


If my post helped you, please feel free to give me kudos.
Visitor
a.prutkoy
Posts: 1
Registered: ‎05-13-2011
0

Re: tcpdump, wireshark, and junos 10.1R1.8

For Telnet-1

 

tcpdump host clientIPaddress || host targetIPaddress <ENTER>

This initiates capture with only the client and target IP addresses in the source or destination IP addresses.

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: tcpdump, wireshark, and junos 10.1R1.8

You may find below KB article useful.

http://kb.juniper.net/KB11709

As others have stated, tcpdump is basically same as 'monitor traffic' command and only captures self traffic to SRX. Tcpdump will not capture traffic that is transiting the SRX.

-Richard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.