Overview

There might be occasions where we want to capture traffic with Wireshark on a device. however, it’s common to find that we can’t install Wireshark there. Perhaps it’s a printer, or a guest device.

Fortunately, not all is lost. In a  case like this we can configure Port Mirroring, also known as SPAN.

Take the topology below. We want to capture traffic between the laptop on the left, and the workstation on the right. We can configure port mirroring on our switch to mirror all this traffic to interface ge-0/0/23. This is where our Monitoring Station is connected.

 

 

Unlike the hubs of the old days, switches don’t usually forward traffic to all ports. Instead, they forward traffic to the port where the destination host resides.

This means that we need to manually configure the switch to forward or mirror our ‘interesting’ traffic to a specific port.

 

Configuration

Constraints

We’re going to look at the configuration for second-generation EX switches, such as the EX2300, EX3400, and EX4300.

Please be aware that the first-gen switches (such as EX2200, EX3400, and others) use different commands. See the link at the end of the article for more info.

Port mirroring supports traffic on physical switch ports, VLANs, or a sample of packets (defined using a firewall filter).

We can mirror traffic to a physical interface, VLAN, or routing-instance.

Firewall filters can be configured to filter the traffic that we’re interested in, limiting the amount of traffic being mirrored.

 

Set Commands

All port forwarding config happens under the following hierarchy. If you’re using layer-3 (routed) ports, then you will also need to use the inet or inet6 address family.

edit forwarding-options

 

Each port mirroring session is called an analyzer. This is a collection of sources (ports, VLANs, etc), and the destination (the port or VLAN to mirror to).

Each analyzer needs to have a name:

edit analyzer MyCapture

 

We can then set which ports we want to mirror. Input refers to the traffic that we want to monitor. Ingress and egress refers to traffic entering and leaving the port.

For our example, we want to capture traffic between the laptop and workstation. So, we will capture traffic entering port ge-0/0/0, as well as traffic leaving port ge-0/0/0.

set input ingress interface ge-0/0/0
set input egress interface ge-0/0/0

 

Finally, we can use output to select the interface that we’re mirroring to. This will be to the monitoring station on port 23.

set output interface ge-0/0/23

 

Of course, don’t forget to commit your config.

We’ve been talking about local mirroring here, which is where we mirror traffic to a port on the local switch.

It’s worth mentioning that we can configure port mirroring to a remote location. For example, if our monitoring station is on a different switch than the one we need to capture on. This is also called RSPAN.

 

 

Full Configuration

forwarding-options {
  analyzer {
    MyCapture {
      input {
        ingress {
          interface ge-0/0/0.0;
        }
        egress {
          interface ge-0/0/0.0;
        }
      }
      output {
        interface ge-0/0/23.0;
      }
    }
  }
}

 

 

Further Reading

Juniper (Gen 2) – Understanding Port Mirroring and Analyzers on EX2300, EX3400, and EX4300 Switches

Juniper (Gen 1) – Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches

Juniper – Configuring Mirroring on EX4300 Switches to Analyze Traffic (CLI Procedure)