Juniper Networks J-Series Network Router User Manual


 
the performance of the Services Router. You can control the number of packets
captured on an interface with firewall filters and specify various criteria to capture
packets for specific traffic flows.
You must also configure and apply appropriate firewall filters on the interface if you
need to capture packets generated by the host router, because interface sampling
does not capture packets originating from the host router.
To configure firewall filters for packet capture, see Configuring a Firewall Filter for
Packet Capture (Optional) on page 259.
For more information about firewall filters, see the J-series Services Router Advanced
WAN Access Configuration Guide.
Packet Capture Files
When packet capture is enabled on an interface, the entire packet including the
Layer 2 header is captured and stored in a file. You can specify the maximum size
of the packet to be captured, up to 1500 bytes. Packet capture creates one file for
each physical interface. You can specify the target filename, maximum size of the
file, and maximum number of files.
File creation and storage take place in the following way. Suppose you name the
packet capture file pcap-file. Packet capture creates multiple files (one per physical
interface), suffixing each file with the name of the physical interfacefor example,
pcap-file.fe0.0.1 for the Fast Ethernet interface fe0.0.1. When the file named
pcap-file.fe-0.0.1 reaches the maximum size, the file is renamed pcap-file.fe-0.0.1.0.
When the file named pcap-file.fe-0.0.1 reaches the maximum size again, the file
named pcap-file.fe-0.0.1.0 is renamed pcap-file.fe-0.0.1.1 and pcap-file.fe-0.0.1 is
renamed pcap-file.fe-0.0.1.0. This process continues until the maximum number of
files is exceeded and the oldest file is overwritten. The pcap-file.fe-0.0.1 file is always
the latest file.
Packet capture files are not removed even after you disable packet capture on an
interface.
Analysis of Packet Capture Files
Packet capture files are stored in libpcap format in the /var/tmp directory. You can
specify user or administrator privileges for the files.
Packet capture files can be opened and analyzed offline with tcpdump or any packet
analyzer that recognizes the libpcap format. You can also use FTP or the Session
Control Protocol (SCP) to transfer the packet capture files to an external device.
NOTE: Disable packet capture before opening the file for analysis or transferring the
file to an external device with FTP or SCP. Disabling packet capture ensures that the
internal file buffer is flushed and all the captured packets are written to the file. To
disable packet capture on an interface, see Disabling Packet Capture on page 261.
256 Packet Capture Overview
J-series Services Router Administration Guide