set security flow traceoptions file <filename>
set security flow traceoptions file size 100000
set security flow traceoptions file files 5
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter <name> source-prefix <ip/cidr>
set security flow traceoptions packet-filter <name> destination-prefix <ip/cidr>
commit

!! Run the following from the shell to view the capture
egrep 'matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if' <filename> | sed -e 's/.*RT://g' | sed -e 's/tcp, flag 2 syn/--TCP SYN--/g' | sed -e 's/tcp, flag 12 syn ack/--TCP SYN\/ACK--/g' | sed -e 's/tcp, flag 10/--TCP ACK--/g' | sed -e 's/tcp, flag 4 rst/--TCP RST--/g' | sed -e 's/tcp, flag 14 rst/--TCP RST\/ACK--/g' | sed -e 's/tcp, flag 18/--TCP PUSH\/ACK--/g' | sed -e 's/tcp, flag 11 fin/--TCP FIN\/ACK--/g' | sed -e 's/tcp, flag 5/--TCP FIN\/RST--/g' | sed -e 's/icmp, (0\/0)/--ICMP Echo Reply--/g' | sed -e 's/icmp, (8\/0)/--ICMP Echo Request--/g' | sed -e 's/icmp, (3\/0)/--ICMP Destination Unreachable--/g' | sed -e 's/icmp, (11\/0)/--ICMP Time Exceeded--/g' | awk '/matched/ {print "\n\t\t\t=== PACKET START ==="}; {print};'

Notes:

  • The egrep outputs the capture into an easier to read format. It is not necessary to run this command to read the capture file.
  • Make sure to replace in the egrep
  • Capture is bidirectional

Next Post Previous Post