So its been a while since my last blog as the last year or so has been manic in my $dayjob due to a number of projects and I have finally managed to take a breath and start to think of some content I can give back to the community. The following post comes with a big thanks to James for pointing me towards this great trick and educating me on some linux/unix commands!
Junos devices have the ability to examine packets destined for the routing engine in a number of ways.
Using the command
monitor traffic interface ge-0/0/0 no-resolve size 1600 matching "<tcpdump filter>"
You will see any packet bound for the routing engine. Using a tcpdump compatible filter the capture can be refined to specific traffic.
Using the same command but with the hidden option
write-file for saving as a PCAP file
monitor traffic interface ge-0/0/0 no-resolve size 1600 matching "<tcpdump filter>" write-file /tmp/mytrace.pcap
Transfer the file off the device via SCP and the trace can then be examined in a local install of wireshark. This is the best way to quickly examine captured packets but makes live debugging tricky
Due to Junos being built on Unix and using
tcpdump for its underlying packet capture it is possible to redirect the
tcpdump output from STDOUT via an SSH connection to a remote system where wireshark is installed for live packet capture. This remote system must be accessible from the device where packets are captured and not behind NAT unless there is a port forward in place. If the remote system is not a local laptop then X-Forwarding can be used to trigger a session that is forwarded to the local laptop.
On the remote system where wireshark is installed open an SSH connection with X-Forwarding enabled, show the current DISPLAY env and leave the session open.
[nick@mbp ~]$ ssh firstname.lastname@example.org -X
Last login: Wed Nov 28 09:10:47 2018 from supersecretlocation.com
[root@server ~]# echo $DISPLAY
Login to the system where the trace is to be run and start a root shell
[nick@mbp ~]$ ssh myvMX Password:
--- JUNOS 16.1R7.8 built 2018-09-12 09:06:00 UTC
nick@vMX> start shell
% su -
Run the tcpdump command setting the interface to capture, IP of the remote system to forward to and a valid source address to use on the system where the packets are captured.
tcpdump -i <interface_to_capture> -nn -s 1600 -w - -l not port 22 | ssh root@<remote_server> -b <local_source_address> "(wireshark --display=:10.0 -knSli -)"
It will then start tcpdump and prompt for the password to the remote system
Address resolution is OFF. Listening on ge-1/1/0, capture size 1600 bytes email@example.com's password:
Once entered wireshark will automatically start and you will see live packets coming in and out of the interface. Use wireshark to filter for the desired traffic