SRX

Expand all | Collapse all

tcpdump on SRX

Jump to Best Answer
  • 1.  tcpdump on SRX

    Posted 10-01-2017 19:23

    Hi everyone

     

    I am trying to set up tcpdump to capture traffic  involving 199.199.199.10

     

    PC1 199.199.199.10--199.199.199.1 fe0/0/1-TRUST-SRX-UNTRUST-fe-0/0/2-200.200.200.1---200.200.200.2 PC2

     

    SET UP:

    SRX has vlan 199, vlan.199, 199.199.199.1, zone TRUST

    SRX has vlan 200, vlan.200, 200.200.200.1 zone UNTRUST

     

    SRX peforms STATIC NAT (DEST) and change the destination IP 100.100.100.10 to 200.200.200.20

    Below we can see SRX successfullys NATS and route the traffic to 200.200.200.2

     

    The whole config is under additional info at the bottom of this post.

     

    root> show security nat static rule all
    Total static-nat rules: 1
    Total referenced IPv4/IPv6 ip-prefixes: 2/0

    Static NAT rule: RULE1 Rule-set: ZEE1
    Rule-Id : 1
    Rule position : 1
    From zone : TRUST
    Destination addresses : 100.100.100.10
    Host addresses : 200.200.200.20
    Netmask : 32
    Host routing-instance : N/A
    Translation hits : 186


    root> show security flow session

     


    Session ID: 2232, Policy name: A/4, Timeout: 2, Valid
    In: 199.199.199.10/33662 --> 100.100.100.10/1;icmp, If: vlan.199, Pkts: 1, Bytes: 60
    Out: 200.200.200.20/1 --> 199.199.199.10/33662;icmp, If: vlan.200, Pkts: 1, Bytes: 60

     

    Below I have set up the tcpdum to capture all routed traffic received on vlan .199:

     

    root@% tcpdump -i vlan.199


    verbose output suppressed, use <detail> or <extensive> for full protocol decode
    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
    Address resolution timeout is 4s.


    Listening on vlan.199, capture size 96 bytes

     

    Reverse lookup for 199.199.199.1 failed (check DNS reachability).
    Other reverse lookup failures will not be reported.
    Use <no-resolve> to avoid reverse lookups on IP addresses.

    01:53:00.832297 In arp who-has 199.199.199.1 (54:e0:32:d3:b8:08) tell 199.199.199.10
    01:53:00.832401 Out arp reply 199.199.199.1 is-at 54:e0:32:d3:b8:08

     

     

    PC1 can reach 200.200.200.20 , using natted IP 100.100.100.10 as can be seen in session flow but tcpdump on SRX is only capturing ARP traffic not transit traffic( I did not specify any filter so all traffic that terverses vlan.199 should be captured).

     

    This is my first time doing tcpdumb on SRX,  so not sure if I am missing anything.

     

    Thanks

     

     

     

    Additional info:

     

    root> show configuration | display set
    set version 11.4R7.5
    set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services web-management http interface vlan.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
    set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members all
    set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan199
    set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan200
    set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan199
    set interfaces fe-0/0/4 unit 0
    set interfaces fe-0/0/5 unit 0
    set interfaces fe-0/0/6 unit 0
    set interfaces fe-0/0/7 unit 0
    set interfaces vlan unit 199 family inet address 199.199.199.1/24
    set interfaces vlan unit 200 family inet address 200.200.200.1/24
    set security address-book global address ZEE 200.200.200.20/32
    set security address-book global address GIGI 100.100.100.10/32
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat static rule-set ZEE1 from zone TRUST
    set security nat static rule-set ZEE1 rule RULE1 match destination-address 100.100.100.10/32
    set security nat static rule-set ZEE1 rule RULE1 then static-nat prefix 200.200.200.20/32
    set security policies from-zone TRUST to-zone UNTRUST policy A match source-address any
    set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address ZEE
    set security policies from-zone TRUST to-zone UNTRUST policy A match application any
    set security policies from-zone TRUST to-zone UNTRUST policy A then permit
    set security policies from-zone UNTRUST to-zone TRUST policy A match source-address GIGI
    set security policies from-zone UNTRUST to-zone TRUST policy A match destination-address any
    set security policies from-zone UNTRUST to-zone TRUST policy A match application any
    set security policies from-zone UNTRUST to-zone TRUST policy A then permit
    set security zones security-zone TRUST host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces vlan.199
    set security zones security-zone UNTRUST host-inbound-traffic system-services all
    set security zones security-zone UNTRUST interfaces vlan.200
    set vlans vlan199 vlan-id 199
    set vlans vlan199 l3-interface vlan.199
    set vlans vlan200 vlan-id 200
    set vlans vlan200 l3-interface vlan.200

     

     

     

     

     

     

     

     

     



  • 2.  RE: tcpdump on SRX
    Best Answer

    Posted 10-01-2017 22:19

    hi !

    it catches only packets with local RE destination or source

    no capture of forwarded packets as this capture is done in the RE and not in the PFE

     

    and arps as broadcast will reach the RE, therefore they are seen

     

    regards

     

    alexander



  • 3.  RE: tcpdump on SRX

    Posted 10-02-2017 08:46

    Thanks for you response, it makes sense, so we can not do tcpdump on transit traffic.

     

    How about this( Not sure if this will wok)

     

    1) We define the capture filter and capture the transit traffic and store that file locally.

    2) We use tcp dump to read the file.

     

     



  • 4.  RE: tcpdump on SRX

    Posted 10-02-2017 16:34

    For transit traffic, try this Using basic-datapath debug

    #set security flow traceoptions file trace-debug-basic-dp

    #set security flow traceoptions flag basic-datapath

    #set security flow traceoptions packet-filter pckt-in source-prefix <prefix/length>

    #set security flow traceoptions packet-filter pckt-out destination-prefix <prefix/length>