SRX Traceoptions: Security Flow

Following on from the last post lets quickly see how we go using TCPDUMP with reth interfaces;

Using the same methodology as in my last post...I.e having separate input and output filters and applying those filters on the reth interface, I find that the SRX generates 2 files, one for the reth and one for the (I assume active) physical interface.Eg.

-rw-r--r--  1 root  wheel  1878 Apr 27 18:15 dumptest.fe-0.0.2
-rw-r--r--  1 root  wheel  1298 Apr 27 18:15 dumptest.reth0

Looking at the 2 files we can capture what we want however each file only shows the traffic in one direction. So you need to look at both files to see everything that is going on. For sure not too handy.

At any rate in the Junos release notes (Branch SRX) they state..
                Sampling features like J-FLow, packet capture, and port mirror on the reth interface are not supported.
And thats from 12.1! So its not a limitation that will disappear soon if ever.

If your insistent and put the filters on the physical interface instead of the reth like this ..

fe-0/0/2 {
        fastether-options {
            redundant-parent reth0;
        unit 0 {
            family inet {
                filter {
                    input INGRESS-TCPDUMP;
                    output EGRESS-TCPDUMP;

Well your out of luck there as that will again only show the one direction. Not recommended!

So Is there another way to see whats going on at a very raw level on the firewall?
Yup..Hello traceoptions.