Wireshark on a juniper interface

Once in a while you are in need of analyzing traffic on a specific interface using Wireshark. Junos being a unix ( derived from Research Unix ) offers several ways to perform this task. I will focus now on the method you will use most frequent.

First of all identify the port you need to analyze. Second you need to indentify a free port to attach you laptop to. Lets use xe-0/0/0 as interface to analyze and use xe-0/0/47 as ‘output’-interface to attach your computer. Both must be switching capable;

set interfaces xe-0/0/0 unit 0 family ethernet-switching
set interfaces xe-0/0/47 unit 0 family ethernet-switching

Determine the which traffic flows you need to analyze; ingress, egress or both. Usually you want to ‘see’ both flows. Now configure the ‘source’ traffic flows.

set forwarding-options analyzer SPAN-port input ingress interface xe-0/0/0
set forwarding-options analyzer SPAN-port input egress interface xe-0/0/0

And the only thing that is left to do, is to direct source traffic to the monitor/destination interface.

set forwarding-options analyzer SPAN-port output interface xe-0/0/0

There are several ways to send mirrored packet towards a destination;

  • ip-address
  • vlan
  • routing-instance

But thats for you now to figure out 😉

Keep in mind that output interface carries both flows. When you monitor an interface, the destination interface must be capable to carry both traffic flows. Or you run into a congestion situation. So first determine the size of the traffic flows. Using “monitor interface xe-0/0/0” or “show interface xe-0/0/0 | match bps”

During the monitoring, your configuration visible for your colleagues. After monitoring traces of the config are left in the rollback buffers. So for lawfull intercept this might not be the best approach.

This entry was posted in Juniper and tagged , , . Bookmark the permalink.