Table of Contents

How to monitor traffic on Junos SRX (like tcpdump on Linux)



check all interface traffic summary

check all interface traffic summary

> monitor interface traffic

Bytes=b, Clear=c, Delta=d, Packets=p, Quit=q or ESC, Rate=r, Up=^U, Down=^D
Interface      Link   Input packets  (pps)   Output packets     (pps)
  ge-0/0/0     Down              0     (0)                 0       (0)
  gr-0/0/0       Up              0     (0)                 0       (0)
  ip-0/0/0       Up              0     (0)                 0       (0)
  lsq-0/0/0      Up              0     (0)                 0       (0)
  lt-0/0/0       Up              0     (0)                 0       (0)
  mt-0/0/0       Up              0     (0)                 0       (0)
  sp-0/0/0       Up              0     (0)                 0       (0)
  ge-0/0/1     Down              0     (0)                 0       (0)
(snip)


monitor traffic command Examples

Only packets sent from SRX can be captured

> monitor traffic interface vlan.10
> monitor traffic interface ge-0/0/0.0
> monitor traffic interface vlan.10 matching "host 192.168.0.1 && udp && port 9997"

How to use capture file

>monitor traffic interface ge-0/0/0.0 write-file test.pcap
>monitor traffic read-file test.pcap




How to use tcpdump command on SRX

Only packets sent from SRX can be captured

(1) change to root user

> start shell user root
% whoami
root

or

> start shell
% su
% whoami
root

(2) tcpdump Examples

% tcpdump -i ge-0/0/0
% tcpdump -i vlan.199
% tcpdump -r /var/tmp/test-cap
% tcpdump -n host 192.168.0.1 and udp and port 9997


traffic log

delete system syslog file
set system syslog file traffic-log any any
set system syslog file traffic-log match "RT_FLOW_SESSION"
set security policies from-zone XXX to-zne XXX policy XXXX match source-address XXXXX
set security policies from-zone XXX to-zne XXX policy XXXX match destination-address XXXXX
set security policies from-zone XXX to-zne XXX policy XXXX application XXXX
set security policies from-zone XXX to-zne XXX policy XXXX then permit
set security policies from-zone XXX to-zne XXX policy XXXX then log session-init
set security policies from-zone XXX to-zne XXX policy XXXX then log session-close
commit confirmed  <- 10 miniutes

How to check traffic log on SRX

> show log /va/log/traffic-log
> show log /va/log/traffic-log | last 100
> start shell
% su
Password:
% cd /va/log
% tail -f traffic-log