J-series™ Services Router Administration Guide

the performance of the Services Router. You can control the number of packets captured on an interface with firewall filters and specify various criteria to capture packets for specific traffic flows.

You must also configure and apply appropriate firewall filters on the interface if you need to capture packets generated by the host router, because interface sampling does not capture packets originating from the host router.

To configure firewall filters for packet capture, see “Configuring a Firewall Filter for Packet Capture (Optional)” on page 259.

For more information about firewall filters, see the J-series Services Router Advanced WAN Access Configuration Guide.

Packet Capture Files

When packet capture is enabled on an interface, the entire packet including the Layer 2 header is captured and stored in a file. You can specify the maximum size of the packet to be captured, up to 1500 bytes. Packet capture creates one file for each physical interface. You can specify the target filename, maximum size of the file, and maximum number of files.

File creation and storage take place in the following way. Suppose you name the packet capture file pcap-file. Packet capture creates multiple files (one per physical interface), suffixing each file with the name of the physical interface—for example, pcap-file.fe–0.0.1for the Fast Ethernet interface fe–0.0.1. When the file named pcap-file.fe-0.0.1reaches the maximum size, the file is renamed pcap-file.fe-0.0.1.0. When the file named pcap-file.fe-0.0.1reaches the maximum size again, the file named pcap-file.fe-0.0.1.0is renamed pcap-file.fe-0.0.1.1and pcap-file.fe-0.0.1is renamed pcap-file.fe-0.0.1.0. This process continues until the maximum number of files is exceeded and the oldest file is overwritten. The pcap-file.fe-0.0.1file is always the latest file.

Packet capture files are not removed even after you disable packet capture on an interface.

Analysis of Packet Capture Files

Packet capture files are stored in libpcap format in the /var/tmp directory. You can specify user or administrator privileges for the files.

Packet capture files can be opened and analyzed offline with tcpdump or any packet analyzer that recognizes the libpcap format. You can also use FTP or the Session Control Protocol (SCP) to transfer the packet capture files to an external device.

NOTE: Disable packet capture before opening the file for analysis or transferring the file to an external device with FTP or SCP. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file. To disable packet capture on an interface, see “Disabling Packet Capture” on page 261.

256Packet Capture Overview

Page 277 Page 279
Page 278
Image 278
Juniper Networks J-Series manual Analysis of Packet Capture Files
Page 277 Page 279
Top Page Image Contents