Juniper Secure Analytics
Packet Capture Users Guide
Release
2014.4
Published: 2015-03-02
Copyright © 2015, Juniper Networks, Inc.
Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net
Copyright © 2015, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Packet Capture Users GuideCopyright © 2015, Juniper Networks, Inc.All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright © 2015, Juniper Networks, Inc.ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Part 1 Juniper Secure Anaytics Packet Capture Users Guide
Chapter 1 Introduction to JSA Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding JSA Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 JSA Packet Capture Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Overview of JSA Packet Capture Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 3 Capture Usage Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Understanding Capture Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 4 Obtaining Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Overview of Obtaining License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Part 2 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
iiiCopyright © 2015, Juniper Networks, Inc.
Copyright © 2015, Juniper Networks, Inc.iv
Juniper Secure Analytics Packet Capture Users Guide
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Part 1 Juniper Secure Anaytics Packet Capture Users Guide
Chapter 1 Introduction to JSA Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: JSA Packet Capture Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
vCopyright © 2015, Juniper Networks, Inc.
Copyright © 2015, Juniper Networks, Inc.vi
Juniper Secure Analytics Packet Capture Users Guide
About the Documentation
• Documentation and Release Notes on page vii
• Documentation Conventions on page vii
• Documentation Feedback on page ix
• Requesting Technical Support on page x
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
viiCopyright © 2015, Juniper Networks, Inc.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure themachine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
Copyright © 2015, Juniper Networks, Inc.viii
Juniper Secure Analytics Packet Capture Users Guide
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
• Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, anduse thepop-up form toprovideuswith informationabout
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.
ixCopyright © 2015, Juniper Networks, Inc.
About the Documentation
• E-mail—Sendyourcommentsto [email protected]. Includethedocument
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2015, Juniper Networks, Inc.x
Juniper Secure Analytics Packet Capture Users Guide
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
xiCopyright © 2015, Juniper Networks, Inc.
About the Documentation
Copyright © 2015, Juniper Networks, Inc.xii
Juniper Secure Analytics Packet Capture Users Guide
PART 1
Juniper Secure Anaytics Packet CaptureUsers Guide
• Introduction to JSA Packet Capture on page 3
• JSA Packet Capture Setup on page 5
• Capture Usage Overview on page 7
• Obtaining Licenses on page 9
1Copyright © 2015, Juniper Networks, Inc.
Copyright © 2015, Juniper Networks, Inc.2
Juniper Secure Analytics Packet Capture Users Guide
CHAPTER 1
Introduction to JSA Packet Capture
This chapter describes about the following sections:
• Understanding JSA Packet Capture on page 3
Understanding JSA Packet Capture
Juniper Secure Analytics (JSA) Packet Capture is a network traffic capture and search
application.With JSA Packet Capture, you can capture network packets atmulti-Gigabit
rates from a live network interface, and write them to files without packet loss.
JSA Packet Capture can search captured network traffic by time and packet envelope
data. Use search simultaneously with the recorder without data loss, if searches are
tailoredandgiven theappropriateappliance resources. It alsoprovideshighperformance
packet-to-disk recording.
Table 3 on page 3 lists the features included with JSA Packet Capture.
Table 3: JSA Packet Capture Capabilities
DescriptionFeature
A file format that is used to storenetwork traffic. The file formatintegrates with existing third-party analysis tools.
Standard PCAP file format
High-performance packet-to-disk recording
JSA Packet Capture is designed for use with multi-corearchitectures.
Multi-core support
JSA Packet Capture uses direct IO access to disks to obtainmaximum disk write throughput.
Direct-IO disk access
JSAPacket Capture can produce an index automatically duringpacket capture. The index can be queried with BPF-like syntaxtoquickly retrieve interestingpackets ina specified time interval.
Real-time indexing
Dump Format
Capture files are saved in the standard PCAP format with time stamps in microsecond
resolution.Capture files are stored in sequential orderwithaper-file size limit. Thecapture
3Copyright © 2015, Juniper Networks, Inc.
files are stored with directories and files that are recycled on an as needed based on
preconfigured recording parameters.
RelatedDocumentation
• Overview of Obtaining License on page 9
• Overview of JSA Packet Capture Setup on page 5
• Understanding Capture Usage on page 7
Copyright © 2015, Juniper Networks, Inc.4
Juniper Secure Analytics Packet Capture Users Guide
CHAPTER 2
JSA Packet Capture Setup
This chapter describes about the following sections:
• Overview of JSA Packet Capture Setup on page 5
Overview of JSA Packet Capture Setup
Somebasic initial configuration is required before you use Juniper Secure Analytics (JSA)
Packet Capture.
Supported web browsers
The following web browsers are supported:
• Google Chrome
• Mozilla Firefox
• Microsoft Internet Explorer
Setting up your network
Tomake JSA Packet Capture available remotely, an IP address must be assigned to
either eth0 or eth1. By default, the system is configured to use DHCP.
DHCP example
In CentOS6.2, edit the following settings in the /etc/sysconfig/network-scripts/ifcfg-eth0
file or the /etc/sysconfig/networkscripts/ ifcfg-eth1 file.
BOOTPROTO="dhcp"
NM_CONTROLLED="no"
ONBOOT="yes"
Static example:
Edit the following settings in the /etc/sysconfig/networkscripts/ ifcfg-eth0 file or the
/etc/sysconfig/network-scripts/ifcfg-eth1 file.
BOOTPROTO="static"
5Copyright © 2015, Juniper Networks, Inc.
BROADCAST="192.168.1.255"
DNS1="0.0.0.0"
DNS2="0.0.0.0"
GATEWAY="192.168.1.2"
IPADDR="192.168.1.1"
NETMASK="255.255.255.0"
NM_CONTROLLED="no"
ONBOOT="yes"
RelatedDocumentation
• Understanding JSA Packet Capture on page 3
• Overview of Obtaining License on page 9
• Understanding Capture Usage on page 7
Copyright © 2015, Juniper Networks, Inc.6
Juniper Secure Analytics Packet Capture Users Guide
CHAPTER 3
Capture Usage Overview
This chapter describes about the following sections:
• Understanding Capture Usage on page 7
Understanding Capture Usage
To capture traffic to disk, start the capture application. The Recorder component saves
the traffic data into a pre-configured directory, recycling the files that are already written
if necessary.
Getting started
After you start the system, log in by using following user information:
User: continuum
Password: P@ck3t08
By default, the Recorder State page is displayed. You can control recordings by clicking
the Start Recorder or Stop Recorder.
Recorder state
The following information is provided on the Recorder State page:
• Recorder status; running (yes/no)
• Interface recording on
• Directory where PCAP files are stored
• Maximum PCAP Size; Size in MB
• Duration of system recording time; hr:min:sec
• Packets Captured
• Packets Dropped
• Total number of PCAPS that is created since start of recording
• Storage Space Available
Recorder configuration
7Copyright © 2015, Juniper Networks, Inc.
On the Recorder Configuration page, to capture network traffic at a higher rate, you can
change capture storage settings for a recording session. Higher rates are possible by
reducing the percentage of the capture store that is used. Use this function carefully.
Increasing themaximum capture rate results in all existing capture and index data being
deleted. When ready to start a recording session, click on the Start Recorder.
Network characterization
To determine themaximum capture rate that does not cause drops, use this page to see
the throughput of the network.
Recorder library
The JSA Packet Capture library contains a history of current and completed captures.
RelatedDocumentation
• Understanding JSA Packet Capture on page 3
• Overview of JSA Packet Capture Setup on page 5
• Overview of Obtaining License on page 9
Copyright © 2015, Juniper Networks, Inc.8
Juniper Secure Analytics Packet Capture Users Guide
CHAPTER 4
Obtaining Licenses
This chapter describes about the following sections:
• Overview of Obtaining License on page 9
Overview of Obtaining License
To obtain licenses, you need to run the client licensing utility as root user.
A network connection is required.
To obtain License:
1. Log in to a terminal session as root user.
2. To run the client licensing utility, type the following command:
./permkey
3. Enter the license type, by typing the following command:
License type (p = permanent, d = demo)
If the license is successfully installed, the following messages are displayed:
License successfully installed for MAC address your MAC address
License successfully installed for System ID your system ID
4. Restart the system.
Results are logged in the /var/log/permkey.res file.
After approximately 25 seconds, :if the followingmessage isdisplayed, check toensure
you have an Internet connection and can ping nextcomputing.com.
500 Can’t connect to nextcomputing.com:80 (Bad hostname ’nextcomputing.com’)
5. If you installed demo licenses, you can check howmuch time is left on themby typing
the following command:
n2disk10g |more
RelatedDocumentation
• Understanding JSA Packet Capture on page 3
• Overview of JSA Packet Capture Setup on page 5
• Understanding Capture Usage on page 7
9Copyright © 2015, Juniper Networks, Inc.
Copyright © 2015, Juniper Networks, Inc.10
Juniper Secure Analytics Packet Capture Users Guide
PART 2
Index
• Index on page 13
11Copyright © 2015, Juniper Networks, Inc.
Copyright © 2015, Juniper Networks, Inc.12
Juniper Secure Analytics Packet Capture Users Guide
Index
Symbols#, comments in configuration statements.....................ix
( ), in syntax descriptions.......................................................ix
< >, in syntax descriptions.....................................................ix
[ ], in configuration statements...........................................ix
{ }, in configuration statements..........................................ix
| (pipe), in syntax descriptions............................................ix
Bbraces, in configuration statements..................................ix
brackets
angle, in syntax descriptions........................................ix
square, in configuration statements.........................ix
Ccomments, in configuration statements.........................ix
conventions
text and syntax................................................................viii
curly braces, in configuration statements.......................ix
customer support......................................................................x
contacting JTAC.................................................................x
Ddocumentation
comments on....................................................................ix
Ffont conventions.....................................................................viii
Mmanuals
comments on....................................................................ix
Pparentheses, in syntax descriptions..................................ix
Ssupport, technical See technical support
syntax conventions................................................................viii
Ttechnical support
contacting JTAC.................................................................x
13Copyright © 2015, Juniper Networks, Inc.
Copyright © 2015, Juniper Networks, Inc.14
Juniper Secure Analytics Packet Capture Users Guide