Whilst I build Juniper labs for my own self study, I often like to view a complete packet capture so I can understand protocols. Often my packet capturing workstation, isn’t directly connected to the juniper appliances, so a simple port mirror won’t work. So I thought why not tunnel the packets to the workstation over a nice GRE tunnel?
Here’s a quick, and of course naff doodle. So I wish to capture BGP packets on the R2’s interface connected to 192.168.129.0/30 network
First I create a firewall filter matching on packets using TCP protocol with destination-port 179 (looks like BGP, right?), then accept all other traffic.
set firewall filter port-mirror term interesting-traffic from protocol tcp
set firewall filter port-mirror term interesting-traffic from destination-port 179
set firewall filter port-mirror term interesting-traffic then port-mirror
set firewall filter port-mirror term interesting-traffic then accept
set firewall filter port-mirror term pass then accept
Then I configure to capture send all matching packets down a gre tunnel
set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring input run-length 10
set forwarding-options port-mirroring family inet output interface gr-0/0/0.200 next-hop 10.77.80.1
Set up the gre tunnel on the SRX
set interfaces gr-0/0/0 unit 200 tunnel source 192.168.129.2
set interfaces gr-0/0/0 unit 200 tunnel destination 192.168.128.35
set interfaces gr-0/0/0 unit 200 family inet address 10.77.80.1/24
Then I apply the filter to my interface of choice
set interfaces ge-0/0/1 unit 0 family inet filter input port-mirror
set interfaces ge-0/0/1 unit 0 family inet filter output port-mirror
Apply the changes with a commit.
On my wireshark machine
dan@wireshark:/etc/network$ sudo apt-get install wireshark
Set up my gre tunnel
dan@wireshark:/etc/network:$ sudo nano /etc/network/interfaces
iface tun1 inet static
pre-up iptunnel add tun1 mode gre local 192.168.128.35 remote 192.168.129.2 ttl 255
up ifconfig tun1 multicast
post-down iptunnel del tun1
bring the tunnel up
sudo ifup tun1
Watch those packets come in.