Whilst I build Juniper labs for my own self study, I often like to view a complete packet capture so I can understand protocols. Often my packet capturing workstation, isn’t directly connected to the juniper appliances, so a simple port mirror won’t work. So I thought why not tunnel the packets to the workstation over a nice GRE tunnel?

Here’s a quick, and of course naff doodle. So I wish to capture BGP packets on the R2’s interface connected to 192.168.129.0/30 network

 

gre2

First I create a firewall filter matching on packets using TCP protocol with destination-port 179 (looks like BGP, right?), then accept all other traffic.

set firewall filter port-mirror term interesting-traffic from protocol tcp
set firewall filter port-mirror term interesting-traffic from destination-port 179
set firewall filter port-mirror term interesting-traffic then port-mirror
set firewall filter port-mirror term interesting-traffic then accept
set firewall filter port-mirror term pass then accept

Then I configure to capture send all matching packets down a gre tunnel

set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring input run-length 10
set forwarding-options port-mirroring family inet output interface gr-0/0/0.200 next-hop 10.77.80.1

Set up the gre tunnel on the SRX

set interfaces gr-0/0/0 unit 200 tunnel source 192.168.129.2
set interfaces gr-0/0/0 unit 200 tunnel destination 192.168.128.35
set interfaces gr-0/0/0 unit 200 family inet address 10.77.80.1/24

Then I apply the filter to my interface of choice

set interfaces ge-0/0/1 unit 0 family inet filter input port-mirror
set interfaces ge-0/0/1 unit 0 family inet filter output port-mirror

Apply the changes with a commit.

On my wireshark machine

Install wireshark

dan@wireshark:/etc/network$ sudo apt-get install wireshark

Set up my gre tunnel

dan@wireshark:/etc/network:$ sudo nano /etc/network/interfaces

auto tun1
iface tun1 inet static
address 10.77.80.2
netmask 255.255.255.0
pre-up iptunnel add tun1 mode gre local 192.168.128.35 remote 192.168.129.2 ttl 255
up ifconfig tun1 multicast
pointopoint 10.77.80.1
post-down iptunnel del tun1

bring the tunnel up

sudo ifup tun1

 

Watch those packets come in.

bgp