SRX

Hello,

Is it possible to monitor where the traffic is going too.

We notice a spike in outgoing usage and we want to find out this is going too and what type of traffic it is.

Is this possbile? We are running 10.4R1.9 on a SRX 240.

Thanks in advance.

There's a few ways to do that...

You could enable policy logging [KB] on the policy that matches your outbound traffic.  It's a good idea to offload your logging to an external syslog server, since the SRX has limited on-board logging capabilities.

You could similarly configure J-flow [KB] and send it to a flow collector / analysis box.  There are free solutions such as ntop.

You could also configure a mirror port and capture the traffic on a separate computer... again, ntop can do this or you could do it a lot of ways with Linux and/or Windows.

[ insert some analogy about skinning a cat here...  (just don't let my cat hear you say it) ]

Is it possible to monitor it in real time in the CLI?

>monitor traffic interface ge-0/0/0.0 -- this shows you the ipaddress and nothing much.

The "monitor traffic" command is only going to show you traffic to/from the routing engine.

In order to monitor transit traffic, you'll need to configure packet capture filters.  This KB has the steps to get that going.

As I mentioned...  lots of ways to do this. If you use the on-device packet captures, I'd recommend you transfer the files off to a workstation so they can be inspected with Wireshark or something more friendly.

Capturing packets and looking at the captures in tcpdump or Wireshark is a pretty manual, tedious process if you're looking to see where large traffic spikes are coming from.  I'd really recommend letting some other piece of software do the heavy lifting for you, like ntop. It will give you statistics on how much traffic of what type is flowing, how fast it's making new connections, etc.