Junos is truly a great Network Operating System, the best in my opinion. When it comes to being able to sniff traffic directly from an interface though it falls short. I imagine this is because the control and forwarding planes are completely separate. A few weeks ago we had an issue where traffic was entering the firewall, being processed by the Services Processing Cards (SPCs) to the point we saw a log entry that the session was setup, but we did not see it egress the firewall. We wanted a way to quickly ascertain if the packet is leaving the device. This is where firewall filters and counters come in handy. Because they are applied directly to an interface, they are processed first when the packet comes in and last as the packet leaves the device.
First we are going to create a filter unique to the traffic we want to monitor, this is much like the options we would pass to tcpdump to filter traffic. We create a firewall filter called PACKET-EGRESS and create two terms. The first term sets the criteria we want to match and the second term permits the traffic. I cannot stress the importance of the second term, if you forget it you will drop all traffic as firewall filters implicitly deny traffic!
set firewall filter PACKET-HTTP-COUNT term 1 from source-address 192.168.1.73/32
set firewall filter PACKET-HTTP-COUNT term 1 from destination-address 8.8.8.8/32
set firewall filter PACKET-HTTP-COUNT term 1 from destination-port 80
set firewall filter PACKET-HTTP-COUNT term 1 then count PACKET-EGRESS-COUNT
set firewall filter PACKET-HTTP-COUNT term 2 then accept
Now that our criteria are set the next step is to apply the firewall filter to an interface. We could apply to to the ingress interface if we wanted to ensure traffic is reaching the device or on the egress interface if we want to ensure traffic is leaving the device. In this example we will apply it to the egress interface.
set interfaces reth15 unit 40 family inet filter output PACKET-EGRESS
Applying the firewall filter to an interface via input would measure traffic that has reached the interface whereas applying the firewall filter to an interface via output would measure traffic that has transited an interface.