Note : Great care should be taken when applying captures to ensure that only the traffic that you want to capture is defined within the firewall filter. This is to prevent any unnecessary load being placed onto the resources of your firewall.
Configure
set forwarding-options packet-capture file filename pcap files 10 size 10000
set forwarding-options packet-capture maximum-capture-size 1500
set interfaces fe-0/0/0 unit 0 family inet filter input PCAP
set interfaces fe-0/0/0 unit 0 family inet filter output PCAP
set firewall filter PCAP term FF1 from source-address 172.16.1.0/24
set firewall filter PCAP term FF1 from destination-address 10.1.1.100/32
set firewall filter PCAP term FF1 then sample
set firewall filter PCAP term FF1 then accept
set firewall filter PCAP term FF2 from source-address 10.1.1.110/32
set firewall filter PCAP term FF2 from destination-address 172.16.1.0/24
set firewall filter PCAP term FF2 then sample
set firewall filter PCAP term FF2 then accept
set firewall filter PCAP term allow-all-else then accept
Display Capture
root@srx100> start shell
root@srx100% cd /var/tmp/
root@srx100% tcpdump -r pcap.fe-0.0.0
Reverse lookup for 172.16.1.11 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
20:21:21.342058 In IP 172.16.1.11.9058 > 172.16.1.1.ssh: P 987275121:987275173(52) ack 1326283353 win 4109
20:21:22.252458 Out IP 172.16.1.1.ssh > 172.16.1.11.9058: P 1:53(52) ack 52 win 32900
20:21:22.252721 In IP 172.16.1.11 > vnsc-bak.sys.gtei.net: ICMP echo request, id 1, seq 1095, length 40
20:21:22.252853 Out IP vnsc-bak.sys.gtei.net > 172.16.1.11: ICMP echo reply, id 1, seq 1095, length 40
Remove
root@srx100# delete interfaces fe-0/0/0 unit 0 family inet filter input PCAP
root@srx100# delete interfaces fe-0/0/0 unit 0 family inet filter output PCAP
root@srx100# delete firewall filter PCAP
root@srx100# delete forwarding-options packet-capture
Blogger Comment
Facebook Comment