Juniper J-Series Administration Manual page 278

J-series Services Router Administration Guide
the performance of the Services Router. You can control the number of packets
captured on an interface with firewall filters and specify various criteria to capture
packets for specific traffic flows.
You must also configure and apply appropriate firewall filters on the interface if you
need to capture packets generated by the host router, because interface sampling
does not capture packets originating from the host router.
To configure firewall filters for packet capture, see "Configuring a Firewall Filter for
Packet Capture (Optional)" on page 259.
For more information about firewall filters, see the J-series Services Router Advanced
WAN Access Configuration Guide.
Packet Capture Files
When packet capture is enabled on an interface, the entire packet including the
Layer 2 header is captured and stored in a file. You can specify the maximum size
of the packet to be captured, up to 1500 bytes. Packet capture creates one file for
each physical interface. You can specify the target filename, maximum size of the
file, and maximum number of files.
File creation and storage take place in the following way. Suppose you name the
packet capture file
interface), suffixing each file with the name of the physical interface—for example,
pcap-file.fe–0.0.1
pcap-file.fe-0.0.1
When the file named
named
renamed
files is exceeded and the oldest file is overwritten. The
the latest file.
Packet capture files are not removed even after you disable packet capture on an
interface.
Analysis of Packet Capture Files
Packet capture files are stored in libpcap format in the
specify user or administrator privileges for the files.
Packet capture files can be opened and analyzed offline with tcpdump or any packet
analyzer that recognizes the libpcap format. You can also use FTP or the Session
Control Protocol (SCP) to transfer the packet capture files to an external device.
NOTE: Disable packet capture before opening the file for analysis or transferring the
file to an external device with FTP or SCP. Disabling packet capture ensures that the
internal file buffer is flushed and all the captured packets are written to the file. To
disable packet capture on an interface, see "Disabling Packet Capture" on page 261.
256
Packet Capture Overview
pcap-file . Packet capture creates multiple files (one per physical
for the Fast Ethernet interface
reaches the maximum size, the file is renamed
pcap-file.fe-0.0.1
pcap-file.fe-0.0.1.0 is renamed
. This process continues until the maximum number of
pcap-file.fe-0.0.1.0
. When the file named
fe–0.0.1
reaches the maximum size again, the file
pcap-file.fe-0.0.1.1 and pcap-file.fe-0.0.1
pcap-file.fe-0.0.1
/var/tmp
pcap-file.fe-0.0.1.0 .
is
file is always
directory. You can