Tags

, , , , , ,

To obtain packet capture on High-End SRX devices, perform the following procedure:

  • Configure the datapath-debug on the device under the hierarchy:
  • [edit security datapath-debug].

       To configure the device for data path debugging:

  • Specify the following request command to set the data path debugging for the multiple processing units along the packet-processing path:
[edit]user@host# set security datapath-debug
  • Specify the trace options for data path-debug using the following command:
[edit]user@host# set security datapath-debug traceoptions
  • Using the request security packet-filter command, you can set the packet filter to specify the related packets to perform data path-debug action. A maximum of four filters are supported at the same time. For example, the following command sets the first packet-filter:
[edit]user@host# set security datapath-debug packet-filter name
  • Using the request security action-profile command, you can set the action for the packet match for a specified filter. Only the default action profile is supported, which is the trace option for network processor ezchip ingress, ezchip egress, spu.lbt, and spu.pot:
[edit]user@host# set security datapath-debug packet-filter name action-profile
  • Based on the exact requirements, you may need to trace only a certain type of traffic which can be configured used packet-filters.
  • Specify maximum capture size (this is the maximum size captured per packet).
  • Create an action-profile to specify where, inside the device, the packets will be captured (eg : LBT, MAC-ingress, and so on).
  • Refer the previously created action-profile inside the configured packet-filter.
  • Specify the name of the capture-file (the file which will contain the captured packets).

Sample Configuration:

root> show configuration security datapath-debug | no-more 
 traceoptions {
      file debugtrace;
 }
 capture-file datapcap format pcap;
 maximum-capture-size 1500;
 action-profile {
      flowtrace {
          event pot {
              packet-dump;
          }
          event lbt {
              packet-dump;
          }
      }
 }
 packet-filter filter1 {
      action-profile flowtrace;
      protocol icmp;
 }
  • In the above config, only the most relevant portions required for the solution are provided.
  • Packets will be dumped in the capture-file, only during processing in POT and LBT threads as per the above config.

Procedure for obtaining the captured packets:

After the config has been placed, remember to start the datapath-debug in the device. It does not start by itself.

To start the debug :

[edit]
 root> request security datapath-debug capture start

To stop the debug :

[edit]
 root> request security datapath-debug capture stop
  • Remember to stop the debug, after you are done with the capturing of data. If you attempt to open the capture files without stopping the debug, the files obtained cannot be opened through any third party software.
  • After the captures have been done, you will be able to view the packets on the CLI in HEX format using the command :
[edit] root> show security datapath-debug capture

you would like to view the captured files in any third party software (eg. Tcpdump, Wireshark), then you will need to remove certain fields in each of the packets. The command is:

root@% e2einfo -Ccapture -Snormalize -I datapcap -F datapcap.pcap

The files containing the captured data is under ‘/var/log’. You should be able to view the files (capture-file and the packet-capture file created) under the /var/log directory.

root> start shell 
 root@% cd /var/log
 root@% ls -l 
 total 18964
 -rw-r--r-- 1 root wheel 80560 Apr 6 06:42 KR2
 -rw-r----- 1 root wheel 774142 Apr 19 03:51 RPF-CHECK
 -rw-r----- 1 root wheel 445638 Jun 21 11:48 RPF-CHECK-ON
 -rw-r----- 1 root wheel 86453 Jun 2 20:31 RPF-CHECK-ON.0.gz
 -rw-r--r-- 1 root wheel 275 Jul 20 19:38 __jsrpd_commit_check__
 -rw-r--r-- 1 root wheel 0 Dec 21 2010 authd_sdb.log
 -rw-r--r-- 1 root wheel 0 Jul 27 21:43 capture.pcap
 -rw-r----- 1 root wheel 1975225 Aug 3 21:31 chassisd
 -rw-r----- 1 root wheel 203000 Jul 1 08:52 chassisd.0.gz
 -rw-r----- 1 root wheel 195019 Jun 3 10:20 chassisd.1.gz
 -rw-r----- 1 root wheel 191531 Jun 3 09:49 chassisd.2.gz
 -rw-r----- 1 root wheel 194656 Jun 3 08:54 chassisd.3.gz
 -rw-r--r-- 1 root wheel 20835 Aug 3 21:23 cosd
 -rw-r----- 1 root wheel 12672 Aug 3 21:34 datapcap
 -rw-r--r-- 1 root wheel 10440 Aug 3 21:36 datapcap.pcap
 -rw-r----- 1 root wheel 979500 Aug 3 21:26 dcd
 -rw-r----- 1 root wheel 28712 Jun 3 06:44 dcd.0.gz
 -rw-r----- 1 root wheel 27720 Jun 3 00:52 dcd.1.gz
 -rw-r----- 1 root wheel 41132 Aug 3 21:26 debugtrace

 

—————————————————————————————————————————-

If you feel this article helped you to get some learning, please support by clicking below.

paypal-button

Advertisements