View Only
last person joined: 3 days ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).
  • 1.  Feature Friday: Session Capture

    Posted 06-10-2022 09:36

    Hey everyone, it’s FRIDAY!!!! That means it’s time for another Feature Friday!


    When there's a problem in your network. What's your first thought? Blame the usual suspects (or if you're an service provider, get blamed by your customer)? Groan because you worry you’re going to spend the rest of the day searching for a needle in a haystack? Or do you use Juniper's Session Capture feature on the Session Smart Router to quickly and easily find the problem?


    If it's not the last one, this is the post for you!


    This post was actually inspired by this picture that @Mark Shields (he goes by "Lane") captured from our friends over at Ambifox:


    PCAP or It Didn't Happen


    So, what is Session Capture and how is it different than Packet Capture?


    Packet Captures

    You probably already know that you can perform Packet Captures on your Session Smart Routers. This is done per Device Interface. All you do is create your filter (using Berkley Packet Filter Syntax) and watch the PCAPs get filled by packets that match your filter criteria. You can do this through the create capture-filtercommand or through the configuration. The configuration method will be persistent through reboot, but you have to commit your configuration. With the command, you do not have to commit your configuration, but it will still not be active after a reboot.


    Session Capture

    However, do you know about the Session Capture (also referred to as Selective Packet Capture)? With the Session Capture, instead of having to create a filter based on an IP address/port/protocol you think will be useful to capture the correct packets for your debugging, you can create PCAPs based on the Service. This is especially helpful when IPs and ports might get NATed, like we do with Secure Vector Routing (SVR).


    Turning on Session Capture

    All you have to do to turn on Session Capture is issue the command create session-capture service <service>. You can then add some other qualifiers like source IP address, destination IP address, ports, etc. if you like, but you do not need to. Session Capture will create PCAPs in /var/log/128technology/ with the name 128T_service_<service-name>.pcap. These PCAPs will be filled by all packets that match the Service that you requested, no matter the IP address/port/whatever.


    How it Works

    Now, here’s the thing I like the most about Session Capture, all you have to do is activate the Session Capture once and ANY Session Smart Routers that the session traverses through will create a PCAP for that Service. So, take a look at this picture:


    Session Capture Flow Example


    As you can see, when the client sends traffic to the server, it goes through 3 SSRs and has 12 different points where it ingresses or egresses an SSR. We can turn the Session Capture on on node1.routerA, and it will capture the appropriate packets on all 4 of its points. Additionally, metadata will indicate to subsequent Session Smart Routers or nodes to enable the packet capture for this session. Each SSR node will install capture filters in each of the four capture points for the same session. A PCAP file will be created on each node, containing the name of the service captured.


    I like to use this to make sure my sessions are being routed correctly. If a PCAP is not created on one of the routers or nodes, then I know the session did not make it to that node. This can also be helpful in determining where a session failed, i.e. before or after a certain router/node, so I don’t spend all day looking in the wrong spot.


    More Information

    If you are looking for some more information on Packet Captures or Session Captures in your Session Smart Router, check out the documentation.


    We also have a great blog written by Patrick Melampy as well as a demo on how to turn on Session Capture.


    Ok, now your turn. Comment below telling us:

    • How often do you turn to PCAPs?
    • Have you used Packet Capture or Session Capture in the Session Smart Router?
    • What’s the most interesting thing you have ever found in a PCAP?


    Last thing before I bid you adieu. I will be presenting at the AI in Action Conference in Las Vegas next week. If you are around, come hit me up. I’d love to get to meet you in person.


    Anyway, have a great weekend and I will talk to you soon!


    #FeatureFridays #SSR #SessionSmartRouter #pcap #packet-capture #BerkeleyPacketFilter #SessionCapture #PCAPorItDidn'tHappen


    Justin Melloni

  • 2.  RE: Feature Friday: Session Capture

    Posted 08-25-2022 15:45

    That is a great topic to discuss. I didn't realize how powerful session-capture were. I do have one thing to add, however. I have come across an inquiry on unencrypted meta-data with session-capture from a customer. From several reliable sources, the SSR will decrypt some the meta-data including the service name and tenant. This does makes sense logically as we always see the tenant and service-name in the SSR's session routing table. This is regardless if it is encrypted or not. I thought this might be a fun fact to add to this article. 



    Mark Ansley

  • 3.  RE: Feature Friday: Session Capture

    Posted 08-25-2022 16:46
    Hey @Mark!

    Thank you for sharing that! I did not realize that you could see some of the metadata with Session Capture. That's a really cool feature and will make it much easier for people who are trying to see what the metadata looks like. 

    Just a reminder to anyone that is interested in checking out the metadata, we do have a metadata dissector plugin for wireshark available here:

    Thank you,

    Justin Melloni